Security: SQL injection risk in pandas Jupyter tutorial

## Description

The insert_values function in the pandas Jupyter tutorial (docs/integrate/pandas/tutorial-jupyter.md, lines 260-369) builds SQL INSERT statements using string concatenation without proper parameterization. This creates potential SQL injection vulnerabilities when users adapt the code for other data sources.

## Problem

At line 289, ticker values are directly interpolated into the SQL string. If a ticker contained a single quote (e.g., O'REILLY), it would break the SQL statement and could allow injection attacks with untrusted data sources.

## Suggested Solution

1. Add a warning note about the security implications for production use
2. Demonstrate the safer approach using parameterized queries with cursor.executemany()

Use parameterized queries instead of string concatenation to prevent SQL injection.

## References

- Original discussion: https://github.com/crate/cratedb-guide/pull/297#discussion_r2392441430
- File: docs/integrate/pandas/tutorial-jupyter.md

Requested by @amotl

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security: SQL injection risk in pandas Jupyter tutorial #354

Description

Problem

Suggested Solution

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: SQL injection risk in pandas Jupyter tutorial #354

Description

Description

Problem

Suggested Solution

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions