YouTube

Got a YouTube account?

New: enable viewer-created translations and captions on your YouTube channel!

English subtitles

← Curing Bobby Tables - Intro to Relational Databases

Get Embed Code
4 Languages

Showing Revision 4 created 05/24/2016 by Udacity Robot.

  1. The problem with our code is that user
    input gets put into a database query in
  2. an unsafe way.
  3. Some text submitted in the forum
    ended up being considered as
  4. SQL code instead of as a text value.
  5. But there's another way to
    do our query that's safe.
  6. When we execute a query,
    we can put a %s in the query text, and
  7. then after it,
    a tuple parameter to the execute call.
  8. The database library will
    substitute this into the query in
  9. a way that's safe so
    this problem will never happen again.
  10. Using what you've just learned,
    you can now update forumdb.py to
  11. execute insert queries safely
    using query parameters.
  12. Test your work by checking that
    you can now make posts with single
  13. quotes in them and
  14. that the SQL injection attack query
    doesn't delete the whole forum anymore.
  15. When you're done, press Submit,
    then Continue to go on.