Simple code to demo how SQL injection works, and how it can be addressed

Python version - 3.6+
Ensure the pysqlite package is installed (should be there by default)
Create the initial Data base with a few users to test the program. User creation can be done through 'python create_db.py'.

Start the program using python app.py. Rest is fairly straightforward

• For login workflow, Set password to p' or 1=1
• For login workflow, set password to p' union select * from users --
• For query user workflow, set user id to 100 or 1=1
• For query user workflow, set user id to 100 union select * from users

A few of the vulnerabilties are blocked, and it is slightly more secure

• For login workflow, there are no simple injections possible.
• For query user workflow, set user id to 100 or 1=1
• For query user workflow, set user id to 100 UniOn selselectect * from users

Gaining information is not possible, but server can be crashed

• For the query user workflow, set userid to 0x313030206f722031203d2031 (This is a hex representation of 100 or 1 = 1). Since the number is too big for SQLite, it cause a crash of the program.

None