SQL injection is a security risk where bad users can change your database commands. Preventing it keeps your data safe and your app working right.
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))cursor.execute("SELECT * FROM users WHERE username = %s", (username,))cursor.execute("INSERT INTO users (name, email) VALUES (%s, %s)", (name, email))cursor.execute("UPDATE users SET email = %s WHERE id = %s", (email, user_id))This Flask app has a route to find a user by username safely. It uses a parameterized query to avoid SQL injection.
from flask import Flask, request import psycopg2 app = Flask(__name__) conn = psycopg2.connect(dbname='testdb', user='user', password='pass', host='localhost') @app.route('/find_user') def find_user(): username = request.args.get('username', '') with conn.cursor() as cursor: cursor.execute("SELECT id, username FROM users WHERE username = %s", (username,)) user = cursor.fetchone() if user: return f"User found: ID={user[0]}, Username={user[1]}" else: return "User not found" if __name__ == '__main__': app.run(debug=True)
Always use parameterized queries or ORM methods that handle parameters for you.
Never trust user input; always treat it as unsafe until handled properly.
Test your app with special characters to ensure injection is blocked.
SQL injection lets attackers change your database commands.
Use parameterized queries in Flask with your database cursor to prevent it.
This keeps your app and data safe from bad users.