Protect code from sql injection

Database

Protect code from sql injection

 

Hi All,

 

I have devloped  beow code in one of my module but our company's security team  raised incident as below code can be hacked by sql injection.Could you please help me to change  below code so that we can avoid sql injection .

 

print("Please Enter Table name")
tablename = raw_input()
cursor = connect.cursor();
query = "CREATE TABLE D0_DATABASE.{tablename}(CUST_ID INTEGER, CUSTOMER_NAME VARCHAR(50))".format(tablename = tablename)
cursor.execute(query)

 

Thanks in Advance 

Tags (1)
1 REPLY 1
Teradata Employee

Re: Protect code from sql injection

In other cases you might be able to pass the string value as a parameter, but in this case you have to concatenate it into the statement. 

So you will need an edit before doing that, to make sure it's only a simple name, e.g. see if it matches a RegEx such as '^[A-Za-z0-9_]+$' (allowing only letters, digits, and underscores)