Followers 0

# Using sqlite3 for python, one method secure, one not, why?

## 2 posts in this topic

# Never do this -- insecure!
symbol = 'RHAT'
c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)

t = ('RHAT',)
c.execute('SELECT * FROM stocks WHERE symbol=?', t)
print c.fetchone()


My understanding is a SQL injection is when instead of supplying data or a variable you substitute a SQL command.  My question is why is the second option better then the first.  What makes the second option better then the first?

Edited by Biffenbob
0

## Create an account

Register a new account