Derived from the flake8-bandit linter.
What it does#
Checks for strings that resemble SQL statements involved in some form string building operation.
Why is this bad?#
SQL injection is a common attack vector for web applications. Directly
interpolating user input into SQL statements should always be avoided.
Instead, favor parameterized queries, in which the SQL statement is
provided separately from its parameters, as supported by
and other database drivers and ORMs.