Table of contents
You must have wondered how senior developers write their code. If you have, let me tell you about a key difference in which experienced developer make their code efficient and enterprise level.
Robustness
Have you heard of the concept of "SQL Injection"? It is a method through which attackers enters specially crafted input containing SQL commands to perform unauthorized actions such as retrieving sensitive data, or even delete an entire table.
Let me give you an example, consider a table "People".
SELECT * FROM People WHERE name = '' AND PASSWORD = '';
To run this query using Python, you must take two inputs, name and password.
name = input("Enter your name: ")
password = input("Enter your password: ")
But what if I Enter.
Enter your name: ' OR 1=1 --
Enter your password: ( null or empty value )
It will cause the following SQL query to run.
SELECT * FROM People WHERE name = '' OR 1=1 -- AND PASSWORD = '';
Notice how this query will return all rows from the table because this WHERE clause will always be True due to the 1=1 condition with OR scenario and "--" commenting the rest of the query.
Demonstration
Here is a demonstration for such cases using Python and Microsoft SQL Server.
import pypyodbc as odbc
import os
# I have kept my credentials hidden using os module
DRIVER = os.getenv('DRIVER') # Insert your connection driver name here
SERVER = os.getenv('SQL SERVER') # Insert your connection server name here
DB = 'EnterpriseDB'
connection_string = f'''
DRIVER={{{DRIVER}}};
SERVER={SERVER};
DATABASE={DB};
Trust_connection=yes;
'''
def insert_values():
conn = odbc.connect(connection_string)
cursor = conn.cursor()
cursor.execute(""" CREATE TABLE People (
name varchar(30) not null,
password varchar(30) not null,
age int,
pin int,
secret varchar(255)
);
""")
cursor.execute(""" INSERT INTO People (name,password,age,pin,secret)
VALUES ('Chinmay','cp123',20,1111,'I like to watch anime');
""")
cursor.commit()
Notice how I use "_" for variables with multiple words and capital for those who have constant values? This is the naming convention for Python. Naming conventions are the way in which you can make your code easily readable and well guided for new developers looking into it. This is also a habit adapted by experienced developers.
Edit the above code to insert some more values and try this
def get_values():
conn = odbc.connect(connection_string)
cursor = conn.cursor()
name= input("Enter your name: ")
pw = input("Enter your password: ")
cursor.execute(f" SELECT * FROM People WHERE name = '{name}'
AND password = '{pw}' ;
")
rows = cursor.fetchall()
if(rows):
for row in rows:
print(row)
else:
print("Invalid password or name")
Using SQL Injection
Congratulations, you lost not only your data but your job as a developer as well !
Prevention
def get_values_optimized():
conn = odbc.connect(connection_string)
cursor = conn.cursor()
name= input("Enter your name: ")
pw = input("Enter your password: ")
query = f" SELECT * FROM People WHERE name = ? AND password = ? ;"
cursor.execute(query,(name,pw))
rows = cursor.fetchall()
if(rows):
for row in rows:
print(row)
else:
print("Invalid password or name")
This method is known as "Parametrized Queries". Providing query and user inputs as separately rather than an encapsulated form.
Now your data and your system can be called "Secure".
This was just an example for SQL Injection counters, to read more go to the following resource for more insights and documentation.
Detailed Counter and Prevention Techniques
Thanks for reading through. I hope you liked it :)