Update sql_injection_login.py

[N1m1sh4]

No description provided.

[semgrep-app]

Semgrep identified an issue in your code:
Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.

Dataflow graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>vulns/sql_injection/sql_injection_login.py</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/Buildkite007/bad-python-app/blob/48afdaa451e81f9c9e7c8ad928f108d862e4395d/vulns/sql_injection/sql_injection_login.py#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] request.form</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/Buildkite007/bad-python-app/blob/48afdaa451e81f9c9e7c8ad928f108d862e4395d/vulns/sql_injection/sql_injection_login.py#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] form</a>"]

            v3["<a href=https://github.com/Buildkite007/bad-python-app/blob/48afdaa451e81f9c9e7c8ad928f108d862e4395d/vulns/sql_injection/sql_injection_login.py#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] username</a>"]
        end
            v2 --> v3
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/Buildkite007/bad-python-app/blob/48afdaa451e81f9c9e7c8ad928f108d862e4395d/vulns/sql_injection/sql_injection_login.py#L21 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 21] f&quot;SELECT * FROM users WHERE username=&apos;{username}&apos; AND password=&apos;{password_hash}&apos;&quot;</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink

Loading

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by tainted-sql-string.

_{You can view more details about this finding in the Semgrep AppSec Platform.}