问题
consider sqlite3 fts4 table
c.execute("CREATE VIRTUAL TABLE docs USING fts4(content)")
Is the following safe from sql injection where txt contains a string?
I am not sure if parameterised query is safe or not,since there is only one parameter txt which is a string.
c.execute("SELECT * FROM docs WHERE docs MATCH (?)",(txt,))
回答1:
Yes, it is safe from SQL injection; that is what the SQL parameter is for, to escape and quote txt properly.
If you were to use string formatting ("... MATCH ('%s')" % txt or " ... MATCH ('{}')".format(txt), then you'd be opening a SQL injection vector, as you wouldn't be escaping meta characters in txt.
来源:https://stackoverflow.com/questions/16501585/sql-injection-in-sqlite-full-text-search