0
0
Flaskframework~5 mins

SQL injection prevention in Flask - Cheat Sheet & Quick Revision

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Recall & Review
beginner
What is SQL injection?
SQL injection is a security problem where an attacker adds harmful SQL code into input fields to trick the database into doing things it shouldn't, like revealing or changing data.
Click to reveal answer
beginner
How does using parameterized queries help prevent SQL injection in Flask?
Parameterized queries keep user input separate from the SQL code. This means the database treats input only as data, not as commands, stopping attackers from changing the query's meaning.
Click to reveal answer
intermediate
What Flask extension is commonly used to safely interact with databases and prevent SQL injection?
Flask-SQLAlchemy is a popular extension that helps write safe database queries using an object-oriented style, which automatically handles input safely to avoid SQL injection.
Click to reveal answer
beginner
Why should you avoid building SQL queries by directly adding user input strings in Flask?
Directly adding user input to SQL queries can let attackers insert harmful commands. This is unsafe because the database runs whatever code it receives, including bad commands.
Click to reveal answer
intermediate
What is an example of a safe way to query a database in Flask using parameterized queries?
Using Flask's database cursor with placeholders like: cursor.execute('SELECT * FROM users WHERE name = %s', (username,)) safely inserts the username without risk of injection.
Click to reveal answer
What is the main risk of SQL injection?
AAttackers can run harmful SQL commands through user input
BThe database runs faster
CUser input is ignored
DThe website loads slower
Which method helps prevent SQL injection in Flask?
AUsing plain text files instead of databases
BConcatenating strings to build queries
CIgnoring user input
DUsing parameterized queries with placeholders
What does Flask-SQLAlchemy provide to help with SQL injection?
AA way to write raw SQL strings only
BAn object-oriented way to build safe queries
CA tool to speed up the database
DA method to disable user input
Why is directly adding user input to SQL queries dangerous?
AIt makes the code shorter
BIt improves database security
CIt can let attackers change the query meaning
DIt prevents errors
Which of these is a safe example of querying a database in Flask?
Acursor.execute('SELECT * FROM users WHERE name = %s', (username,))
Bcursor.execute(f'SELECT * FROM users WHERE name = '{username}'')
Ccursor.execute('SELECT * FROM users WHERE name = ' + username)
Dcursor.execute('SELECT * FROM users')
Explain how parameterized queries prevent SQL injection in Flask applications.
Think about how the database sees the input versus the command.
You got /3 concepts.
    Describe why directly inserting user input into SQL queries is unsafe and how Flask-SQLAlchemy helps avoid this problem.
    Consider how Flask-SQLAlchemy changes the way queries are written.
    You got /3 concepts.