odoo-community.org | The Odoo Community Association Website | Portal library
kandi X-RAY | odoo-community.org Summary
kandi X-RAY | odoo-community.org Summary
The Odoo Community Association Website
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of odoo-community.org
odoo-community.org Key Features
odoo-community.org Examples and Code Snippets
Community Discussions
Trending Discussions on odoo-community.org
QUESTION
I'm using odoo pylint and encountered this message 'Odoo E8103: SQL injection risk. Use parameters if you can'. It was referring to these following example SQL query line pattern:
...ANSWER
Answered 2020-Nov-17 at 10:13You've changed it correctly. Never ever ignore that lint message, if you're not fully sure about the reasons behind it.
The OCA description already have the correct answers, why to avoid such code.
Care must be taken not to introduce SQL injections vulnerabilities when using manual SQL queries. The vulnerability is present when user input is either incorrectly filtered or badly quoted, allowing an attacker to introduce undesirable clauses to a SQL query (such as circumventing filters or executing UPDATE or DELETE commands).
The best way to be safe is to never, NEVER use Python string concatenation (+) or string parameters interpolation (%) to pass variables to a SQL query string.
The second reason, which is almost as important, is that it is the job of the database abstraction layer (psycopg2) to decide how to format query parameters, not your job! For example psycopg2 knows that when you pass a list of values it needs to format them as a comma-separated list, enclosed in parentheses!
Even the good old comic "Bobby tables" from xkcd is mentioned ;-)
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install odoo-community.org
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page