Click here to Skip to main content
15,169,140 members
Please Sign up or sign in to vote.
1.00/5 (2 votes)
See more:
"SELECT * FROM tb_user WHERE username = '%s' AND password = '%s'" % username, password

what is the correct format like?

What I have tried:

"SELECT * FROM tb_user WHERE username = '%s' AND password = '%s'" % username % password
Updated 29-Jun-21 5:44am

1 solution

The "correct format" has two parts:

1) Use parameterized queries to avoid SQL Injection vulnerabilities.
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
SQL injection attack mechanics | Pluralsight [^]

2) Never store passwords in plain text. Store a salted hash of the password, using many iterations of a secure one-way hashing algorithm.
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900