將這個代碼防止SQL注入（Python）的

Question

請讓我知道會下列代碼100％防止SQL注入蟒蛇

樣本1

username = request.GET('username') # non-filtered user input 
connection.execute("SELECT id,name,email FROM user WHERE username=%s LIMIT 1", (username,)) 

樣品2

username = request.POST('username') # non-filtered user input 
name = request.POST('name') # non-filtered user input 
email = request.POST('email') # non-filtered user input 
connection.execute("UPDATE user SET name=%s, email= %s WHERE username=%s LIMIT 1", (name, email, username,)) 

Answer 1

％s的概念是從查詢中分離數據。當你傳遞兩個參數時，它們被組合在模塊中。它的目的是減輕注射，但我很猶豫，說「100％」

編輯：許多聰明比我（！甚至現實生活中的安全專家）在這裏也稱： https://security.stackexchange.com/questions/15214/are-prepared-statements-100-safe-against-sql-injection