SQL injection via string-formatted queries
criticalsecurityUpdated Mar 2, 2026(via Exa)
Technologies:
How to detect:
Raw SQL queries are constructed using string formatting (f-strings, % formatting, or concatenation) with user input, allowing SQL injection attacks that can read, modify, or delete arbitrary data.
Recommended action:
Never use string formatting for SQL. Use parameterized queries: cursor.execute("SELECT id, username FROM auth_user WHERE username LIKE %s", [like]). Prefer Django ORM: User.objects.filter(username__icontains=term). If raw SQL is required, always use parameter placeholders.