{"title":"SQL Injection via f-string Formatted WHERE Clause","language":"Python","severity":"Critical","cwe":"CWE-89","source_lines":[11,12],"flow_lines":[11,12,13,4,6,7],"sink_lines":[7],"vulnerable_code":"import sqlite3\n\ndef fetch_iot_device_telemetry(device_mac, metric_type):\n    conn = sqlite3.connect('iot_hub.db')\n    cursor = conn.cursor()\n    query = f\"SELECT timestamp, value, unit FROM sensor_data WHERE device_id = '{device_mac}' AND metric = '{metric_type}' ORDER BY timestamp DESC LIMIT 50\"\n    cursor.execute(query)\n    telemetry = cursor.fetchall()\n    conn.close()\n    return telemetry\n\nuser_device = request.args.get('mac_address')\nmetric = request.args.get('sensor_type')\nresults = fetch_iot_device_telemetry(user_device, metric)","explanation":"User-controlled input from request.args.get() is directly interpolated into an SQL query using f-strings without any sanitization or parameterization. An attacker can inject malicious SQL code through the mac_address or sensor_type parameters to manipulate the query logic, extract unauthorized data, or perform other database operations.","remediation":"The fix replaces the f-string interpolation in the SQL query with parameterized query placeholders (?). The user-supplied values are passed as a tuple to cursor.execute(), which ensures the database driver properly escapes and binds the parameters, preventing any injected SQL from being interpreted as executable code.","secure_code":"import sqlite3\n\ndef fetch_iot_device_telemetry(device_mac, metric_type):\n    conn = sqlite3.connect('iot_hub.db')\n    cursor = conn.cursor()\n    query = \"SELECT timestamp, value, unit FROM sensor_data WHERE device_id = ? AND metric = ? ORDER BY timestamp DESC LIMIT 50\"\n    cursor.execute(query, (device_mac, metric_type))\n    telemetry = cursor.fetchall()\n    conn.close()\n    return telemetry\n\nuser_device = request.args.get('mac_address')\nmetric = request.args.get('sensor_type')\nresults = fetch_iot_device_telemetry(user_device, metric)"}