Docs for SQL parameterization are a security risk

The information contained here: https://github.com/NHSDigital/rap-community-of-practice/blob/main/docs/training_resources/python/using-f-strings-sql-queries.md is bad practice across the industry. You do **not** use f-strings to parameterise SQL queries. This is open to SQL Injection, which remains one of the biggest attack vectors across the industry.

Parameterization is standardised [in the DB API](https://peps.python.org/pep-0249/) with the various token options [here](https://peps.python.org/pep-0249/#paramstyle).

If you want to pass parameters to `pandas` for execution, then you can use [this](https://stackoverflow.com/a/24418294/4799172). Specifically, the `params` argument to [`pd.read_sql_query`](https://pandas.pydata.org/docs/reference/api/pandas.read_sql_query.html).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Docs for SQL parameterization are a security risk #69

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Docs for SQL parameterization are a security risk #69

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions