# SQL Injection

### Introduction

In this lesson, we'll learn how users can hack into our database through SQL injection, and what we can do about it.

### SQL Injection: How it occurs

Imagine that we have a movies database and that we write the following function queries for movies by their genre:

In [1]:
def movies_by_genre(genre):
    cursor.execute(f"SELECT * FROM movies WHERE genre = {genre};")
    movies = cursor.fetchall()

Now if we think about where this query may come from, it may be triggered because of an API request.  For example we can imagine a user triggers the call of this function through reaching the following endpoint.

> Another word for a specific url on an api is an **endpoint**.

`/movies?genre=action`

And this request will lead to our function being called like so:

* `movies_by_genre('action')`
* `cursor.execute(f"SELECT * FROM movies WHERE genre = action;")`

### What's the problem?

Well, the danger is that a malcious user when accessing the API could also type in something like the following:

`/movies?genre=action; DROP table users;`

Which would lead to:

* `movies_by_genre('action; DROP table users;')`
* `cursor.execute(f"SELECT * FROM movies WHERE genre = action; DROP TABLE users;")`

This is bad news.  Our user table just got dropped.  And it's because a malicious user inputted in a SQL command to drop our users table.

So we now have a dilemma.  We want an API that allows users to query our database, but we want to prevent malicious calls to our database.

### Our fix: String Composition

To prevent this, we can change our `movies_by_genre` function to the following:

In [2]:
def movies_by_genre(genre):
    cursor.execute(f"SELECT * FROM movies WHERE genre = %s;", (genre,))
    movies = cursor.fetchall()

This way when our user passes through a malicious API request, the user input is passed through the execute function as a separate argument.

In [None]:
cursor.execute(f"SELECT * FROM movies WHERE genre = %s;", ('movies; DROP TABLE users;',))

The `psycopg2` library can look at this last argument to ensure it only contains SQL arguments and not fully formed SQL commands like `DROP TABLE users;`.  If a user passes through a command, `psycopg2` simply will not execute it.

So preventing SQL injection does not involve a lot of work.  We simply should replace any dynamic arguments (often after `=`, `>`, `<` with a `%s`.


To ensure that we can get this working properly there are a couple of gotchas to note:

1. With string composition, our second argument must be a tuple or a list.  

* If it's a one element tuple, make sure we have one element tuple, make sure there's a comma after the tuple or the tuple will not be passed through.

In [None]:
cursor.execute(f"SELECT * FROM movies WHERE genre = %s;", (genre,))

In [2]:
('Action',) # this is a tuple

('Action',)

In [4]:
('Action') # this is a string

'Action'

2. Passing through multiple arguments

> Make sure there is a `%s` for each value we wish to pass through.  

In [4]:
cursor.execute(f"SELECT * FROM movies WHERE genre = %s AND revenue > %s;", (genre, revenue_amount))

### Summary

In this lesson, we saw how to use psycopg2 to connect to postgres using a Python library.  The key is to install with the `psycopg2-binary` library.  Then, in connecting to a specific database, we specify the datbase name, the user and password.  The host and port are optional.