Looks for SQL injection by Python string formatting methods. Includes:
- Use of "f-string"
- Use for string.format()
- Use of
%formatting
Will look for formatted string literals that start with:
INSERT INTODELETE FROMALTER TABLEDROP DATABASECREATE DATABASE
It will also look for strings that start with SELECT and contain FROM, as well as strings that start with UPDATE and contain SET.
Check is case-insensitive.
This check does not verify that the input is sanitized.
Each of the following expressions would trigger a warning for this check:
id = get_id() # Could be a SQLi response..
query1 = f"SELECT * FROM users WHERE id = {id}"
query2 = "SELECT * FROM users WHERE id = {0}" % id
query3 = "SELECT * FROM users WHERE id = {0}".format(id)
query4 = f"UPDATE users SET is_admin = 1 WHERE id = {id}"
query5 = f"DELETE FROM users WHERE id = {id}"
query6 = f"INSERT INTO users (id) VALUES ( id = {id} )"
query7 = f"SELECT * FROM users WHERE id = {id}"Apply input validation and escaping.