Python/ruff
1
0
Fork 0
mirror of https://github.com/astral-sh/ruff synced 2026-01-20 21:10:48 -05:00
Code Issues Packages Projects Releases Wiki Activity

Adjust heading level in rule documentation (#2749)

Browse Source
This commit is contained in:
Nick Pope
2023-02-11 00:10:42 +00:00
committed by GitHub
parent 0ec25d1514
commit 9f84c497f9
44 changed files with 176 additions and 174 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/rules/hardcoded-sql-expression.md
View File

@@ -2,22 +2,22 @@
Derived from the **flake8-bandit** linter.
### What it does
## What it does
Checks for strings that resemble SQL statements involved in some form
string building operation.
### Why is this bad?
## Why is this bad?
SQL injection is a common attack vector for web applications. Directly
interpolating user input into SQL statements should always be avoided.
Instead, favor parameterized queries, in which the SQL statement is
provided separately from its parameters, as supported by `psycopg3`
and other database drivers and ORMs.
### Example
## Example
```python
query = "DELETE FROM foo WHERE id = '%s'" % identifier
```
### References
## References
* [B608: Test for SQL injection](https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html)
* [psycopg3: Server-side binding](https://www.psycopg.org/psycopg3/docs/basic/from_pg2.html#server-side-binding)