def get_email_fixed(name): import psycopg2 conn = psycopg2.connect("dbname=dq user=dq") cur = conn.cursor() # the following query should not allow an SQL injection problem cur.execute("SELECT email FROM users WHERE name = %s;", (name,)) res = cur.fetchall() conn.close() return res name_and_address = get_email("Larry Cain' UNION SELECT address FROM users WHERE name = 'Larry Cain") print(name_and_address)
What I expected to happen:
The code above is given as the solution to preventing SQL injection. I expected that SQL injection would
not be allowed somehow. The last 2 lines are mine and show that SQL injection still happens.
What actually happened:
The output was: [('[email protected]',), ('58208 Cook Bypass West Benjaminfurt OH 25179',)]
The point of this example was to show that SQL injection won’t happen. What am I missing?