cursor.execute() built with unsafe string interpolation
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
connection.cursor().execute() is called with a query string built with an f-string, %-formatting, .format(), or concatenation instead of passing parameters as the second argument. The DB-API driver only escapes values passed through its own parameter substitution, never text baked into the query string.
Why it matters
A raw cursor.execute() call sends its first argument to the database driver as the literal query text; the driver only escapes values passed through its own parameter-substitution mechanism, never text that was already baked into the query string by Python string formatting. Building the query with an f-string, %, .format(), or concatenation makes any interpolated value a SQL injection point.
How to fix it
Pass the query with %s (or the driver-specific placeholder) and hand the real values as a second argument to execute(): cursor.execute("SELECT * FROM app_model WHERE id = %s", [record_id]). This works the same way across psycopg2, MySQLdb, and sqlite3; never build the SQL string with interpolated values yourself.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo