Is this type of data insertion safe and can stop sql injection in Python?

Question

I am learning Database connection from MySQL Connector/Python Developer Guide.

This is the code I am using to insert data:

conn = mysql.connector.connect(user="user", password="password", host="127.0.0.1", database="db")
cursor = conn.cursor()
query = ("INSERT INTO test(name,email) VALUES(%s,%s)")
data = ("cool", "cool")
cursor.execute(query, data)
conn.commit()
cursor.close()
conn.close()

Is this type of data insertion safe and can stop sql injection?

score 2 · Answer 1 · answered Nov 14 '14 at 17:08

Yes. According to the documentation, this is the correct syntax for specifying and executing a query with parameters. Parametrized queries are immune to SQL injection; SQL injection can only occur when you mix user input directly into the query string instead of separating it out.

Is this type of data insertion safe and can stop sql injection in Python?

1 Answers1