SQL - SQL Injection

✅ SQL Injection이란?

사용자 입력을 이용해 “의도하지 않은 SQL 쿼리”를 실행시키는 공격

예방 방법: String Interpolation을 사용하지 않는다.

import sqlite3

connection = sqlite3.connect("users.db")

cursor = connection.cursor()


def init_table():
    cursor.execute(
        """
    CREATE TABLE users (
        user_id integer primary key autoincrement,
        username text not null,
        password text not null
    );
    """
    )
    cursor.execute(
        """
        insert into users (username, password) 
        values ('nico', 123), ('lynn', 321);
    """
    )


def print_all_users():
    result = cursor.execute("select * from users;")
    data = result.fetchall()
    print(data)


def i_change_password(username, new_password):
    cursor.execute(
        f"UPDATE users SET password = '{new_password}' WHERE username = '{username}'"
    )


def s_change_password(username, new_password):
    cursor.execute(
        "UPDATE users SET password = ? WHERE username = ?", (new_password, username)
    )


i_change_password("nico", "hached' --")
print_all_users()
connection.commit()
connection.close()

'🧩 SQL' 카테고리의 다른 글

SQL - Drizzle(ORM) (0)	2026.04.13
SQL - SQL with Python (0)	2026.04.13
SQL - PostgreSQL, Extensions (0)	2026.04.06
SQL - PostgreSQL, JSON Column (0)	2026.04.06
SQL - PostgreSQL, DCL(Data Control Language) (0)	2026.04.03

✅ SQL Injection이란?

'🧩 SQL' 카테고리의 다른 글

티스토리툴바