Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if name: | ||
| cursor.execute( | ||
| "SELECT * FROM books WHERE name LIKE %s", name | ||
| "SELECT * FROM books WHERE name LIKE '%" + name + "%'" |
Check failure
Code scanning / CodeQL
SQL query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix this vulnerability in server/routes.py, replace the unsafe string concatenation in the SQL query on line 16 with a parameterized query using the DB API provided by the cursor object. Most Python DB connectors (including those underlying Flask and SQLAlchemy) support using placeholders (often %s for positional parameters) in SQL, with actual parameter values passed as separate arguments. For SQL LIKE statements, you usually need to format the % wildcards as part of the parameter—not inside the query string—so use "SELECT * FROM books WHERE name LIKE %s" with the parameter being f"%{name}%". No new imports are needed. Only line 16 (and the lines around it for context) need to be updated.
| @@ -13,7 +13,7 @@ | ||
|
|
||
| if name: | ||
| cursor.execute( | ||
| "SELECT * FROM books WHERE name LIKE '%" + name + "%'" | ||
| "SELECT * FROM books WHERE name LIKE %s", (f"%{name}%",) | ||
| ) | ||
| books = [Book(*row) for row in cursor] | ||
|
|
1 participant
No description provided.