I use sqlite3 for my database and get data from untrusted source with
flask.request.get()
I insert all data with such syntax
c.execute("INSERT INTO table (e1, e2) VALUES(?, ?)", (V1, V2))
as recommended here. My question is
How does python-sqlite3 sanitize these requests? What happens in case the entry type is BLOB? Since BLOB has to be written as it is, what constraints will sanitization put on it?
This is making a prepared statement. It won't sanitize the inputs. At a low level, it's probably using the sqlite c api, and it would look something like:
stmnt = sqlite3_prepare("INSERT INTO table (e1, e2) VALUES(?, ?)")
sqlite3_bind_int(stmnt,0,V1)
sqlite3_bind_blob(stmnt,1,V1)
while((row = sqlite3_step(stmnt) != SQLITE_DONE){
//do something with the rows
...
}
This is just pseudo-code but you get the idea. You can see the values being bound don't need to be sanitized because they aren't concatenated with the string. The sqlite c api is described here.
