sdk/python/Databases/PySqlite3

PySqlite3

The sqlite3 module wraps the SQLite C library. cursor.execute() and executemany() accept raw SQL strings and are injection sinks when the SQL is built from user input. Use the ? placeholder form for safe parameter binding.

3 sinks

Taint flow0 sources → 3 sinks

Sinks — dangerous call

.execute()Executes SQL

.executemany()Executes SQL repeatedly

.executescript()Runs a multi-statement SQL script

Sinks

— dangerous functions taint must not reach

.execute()Sink

Signature

Cursor.execute(sql: str, parameters: Sequence = ()) -> Cursor

Executes SQL. Sink for injection when sql is built from user input without placeholders.

tracks:0

.executemany()Sink

Signature

Cursor.executemany(sql: str, parameters: Iterable) -> Cursor

Executes SQL repeatedly. Same injection risk as execute().

tracks:0

.executescript()Sink

Signature

Cursor.executescript(sql_script: str) -> Cursor

Runs a multi-statement SQL script. No parameter binding available — always injection-sensitive.

tracks:0

Other Methods

.connect()Neutral

Signature

sqlite3.connect(database: str, ...) -> Connection

Opens a database connection. Neutral; the Cursor is where injection happens.

Fully-Qualified Names

FQN	Field
sqlite3	fqns[0]
sqlite3.Cursor	fqns[1]
sqlite3.Connection	fqns[2]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PySqlite3

← PreviousPySqlalchemy