Python Secure Coding

Secure coding practices for Python applications.


SQL Injection Prevention

1# ❌ Vulnerable
2user_input = request.GET['username']
3query = f"SELECT * FROM users WHERE username = '{user_input}'"
4cursor.execute(query)
5
6# ✅ Secure: Parameterized queries
7user_input = request.GET['username']
8query = "SELECT * FROM users WHERE username = %s"
9cursor.execute(query, (user_input,))

Command Injection Prevention

 1# ❌ Vulnerable
 2filename = request.GET['file']
 3os.system(f'cat {filename}')
 4
 5# ✅ Secure: Use subprocess with list
 6import subprocess
 7filename = request.GET['file']
 8if not re.match(r'^[a-zA-Z0-9_.-]+$', filename):
 9    raise ValueError("Invalid filename")
10subprocess.run(['cat', filename], check=True)

XSS Prevention

 1# ❌ Vulnerable
 2from flask import Flask, request
 3@app.route('/search')
 4def search():
 5    query = request.args.get('q')
 6    return f'<h1>Results for: {query}</h1>'
 7
 8# ✅ Secure: Escape output
 9from markupsafe import escape
10@app.route('/search')
11def search():
12    query = request.args.get('q')
13    return f'<h1>Results for: {escape(query)}</h1>'

Secure Password Hashing

1# ❌ Insecure
2import hashlib
3password_hash = hashlib.md5(password.encode()).hexdigest()
4
5# ✅ Secure: Use bcrypt
6import bcrypt
7password = "user_password"
8salt = bcrypt.gensalt(rounds=12)
9hashed = bcrypt.hashpw(password.encode('utf-8'), salt)

Secure Random Generation

1# ❌ Insecure
2import random
3token = ''.join(random.choices(string.ascii_letters, k=32))
4
5# ✅ Secure
6import secrets
7token = secrets.token_urlsafe(32)

Related Snippets