This is why you sanitize user input: Chat hacked live by XSS/HTML code injection

Using sql prepared statements rather than psycopg2's parameterization to illustrate the point:

import psycopg2
conn = psycopg2.connect(dbconn)
prepared= """
    PREPARE getuser (text) AS 
        SELECT username, password FROM users WHERE username=$1;
    """"
execute="""
    EXECUTE getuser({});
    """

with conn:
    with conn.cursor() as c:
        c.execute(prepared)
    with conn.cursor() as c: # not sure if it would work with the same cursor or not
        c.execute(execute.format('johnsmith'))
        user, password = c.fetchone()
print(user, password)

I haven't actually run this so I'm not 100% sure it's all totally valid code, but it's close enough. Using that parameterized query is part of the SQL standard, and as such any client for (postgres in this case, but) any full implementation of sql.

Which is why he crossed out the "Every programming library worth anything" bit, literally anything that interacts with sql in a way that allows performing queries supports this, no matter how shit that library is.

/r/programming Thread Parent Link - youtu.be