Preventing SQL Injection Attacks With Python

How to safely compose any query in Python

SQL injection are constantly ranked among the most common attacks against systems. For this reason, ORM’s offer many ways of dealing with injections. A common solution is bind variables, a placeholder in the query that is sanitized by the ORM for safe execution in the database.

However, while binding values is very common, I often find myself needing to use table and column names as variables as well. A stroll through psycopg2's documentation led me to the discovery of psycopg2.sql.Identifer and psycopg2.sql.Literal, two low-level functions for safely binding any type of variable in a query.

This discovery sparked my fourth article for RealPython, “Preventing SQL Injection Attacks With Python”. If you’re not sure what SQL injection is, this article will walk you through everything you need to know. If you are an ORM veteran, check your knowledge and get yourself familiar with the low level psycopg2.sql module.

Read “Preventing SQL Injection Attacks With Python” on RealPython ≫

Image for post
Preventing SQL Injection Attacks With Python

Full Stack Developer, Team Leader, Independent. More from me at

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store