Python security

Top defences

  • SQLi: Use SQLAlchemy/ORM (never string formatting).

  • RCE: Avoid pickle, os.system().

Risks

  • yaml.load() → RCE

  • Template injection (Jinja2)

Example (Safe YAML Parsing):

import yaml  

# BAD: Unsafe  
data = yaml.load(user_input)  

# GOOD: Safe  
data = yaml.safe_load(user_input)
Last update: 2025-05-12 14:39