Skip to content Skip to sidebar Skip to footer

Wrong Sql Syntax Because Of Single Or Double Quote In String

sql = 'INSERT IGNORE INTO users_time_zone (user_id, email, username, gcm_reg_id, time_zone) ' \ 'VALUES(%s, '%s', '%s', '%s', '%s') ON DUPLICATE KEY UPDATE gcm_re

Solution 1:

Your code is vulnerable towards SQL Injection here...

You either want to use prepared statement:

sql = "INSERT IGNORE INTO users_time_zone (user_id, email, username, gcm_reg_id, time_zone) " \
      "VALUES(%s, %s, %s, %s, %s) ON DUPLICATE KEY UPDATE gcm_reg_id =%s, id=LAST_INSERT_ID(id) " 

data = (user_data['user_id'], user_data['email'], user_data['username'],
        user_data['gcm_reg_id'], user_data['time_zone'], user_data['gcm_reg_id'])

cursor = conn.cursor()
cursor.execute(sql, data)

Or escape data manually:

data = list(conn.escape_string, data)

sql = "INSERT IGNORE INTO users_time_zone (user_id, email, username, gcm_reg_id, time_zone) " \
      "VALUES(%s, '%s', '%s', '%s', '%s') ON DUPLICATE KEY UPDATE gcm_reg_id ='%s', id=LAST_INSERT_ID(id) "\
        % data

Post a Comment for "Wrong Sql Syntax Because Of Single Or Double Quote In String"