SQL built with an f-string (Python)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
An f-string SQL literal embeds a {value} placeholder instead of passing parameters to the cursor, which is a SQL injection risk when the value is user-controlled.
Why it matters
An f-string SQL literal like f"SELECT ... WHERE id = {uid}" formats the value into the query before the database sees it, so a crafted value can change the query. Passing the value as a parameter closes this completely. This is a heuristic since a trusted constant inside the f-string is a false positive.
How to fix it
Use your driver placeholder and pass the values as the second argument: cursor.execute("SELECT ... WHERE id = %s", (uid,)) for psycopg/mysql, or "?" for sqlite3. Do not build the SQL string with an f-string at all.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo