SQL injection from string concatenation in psycopg2 queries

Critical Risk sql-injection
pythonpsycopg2postgresqlsqlinjectiondatabase

What it is

SQL injection vulnerability where SQL queries are built via concatenation, formatting, or f-strings with untrusted variables instead of using bound parameters, allowing attackers to inject SQL to read, modify, or delete data, bypass authentication, and execute database-level operations.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Using Python string formatting methods to build SQL queries with user input.

Root causes

String Formatting in SQL Queries

Using Python string formatting methods to build SQL queries with user input.

Dynamic Query Building

Constructing queries dynamically without using psycopg2's SQL composition tools.

Fixes

1

Use Parameterized Queries

Use %s placeholders and pass parameters as a tuple to execute().

View implementation 
cursor.execute('SELECT * FROM users WHERE id = %s', (user_id,))
2

Use psycopg2.sql Module

For dynamic identifiers, use psycopg2.sql.SQL with Identifier and Placeholder.

View implementation 
from psycopg2 import sql
query = sql.SQL('SELECT * FROM {} WHERE id = {}').format(
    sql.Identifier('users'),
    sql.Placeholder()
)
cursor.execute(query, (user_id,))
3

Validate Dynamic Components

When dynamic SQL is necessary, validate against an allowlist.

View implementation 
Ensure table names and column names are from a predefined list

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from string concatenation in psycopg2 queries and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities