✨ (Snyk) Fixed finding: "SQL Injection"

insecure-api/main.py

@@ -115,8 +115,8 @@ def search_games(query: str):
     conn = sqlite3.connect('videogames.db')
     cursor = conn.cursor()
     try:
-        sql_query = f"SELECT * FROM video_games WHERE title = '{query}'"
-        cursor.execute(sql_query)
+        sql_query = "SELECT * FROM video_games WHERE title = ?"
+        cursor.execute(sql_query, (query,))
         rows = cursor.fetchall()
     except Exception as e:
         # Return the exception message for educational purposes (not recommended in production)

insecure-app/app.py

@@ -87,8 +87,8 @@ def index():
             username = request.form['username']
             try:
                 # Vulnerable SQL query using string interpolation
-                query = "SELECT password FROM users WHERE username = '{}'".format(username)
-                cursor.execute(query)
+                query = "SELECT password FROM users WHERE username = %s"
+                cursor.execute(query, (username,))
                 result = cursor.fetchone()
                 if result:
                     output = f"Password for {username}: {result[0]}"