{"title":"SQL Injection via psycopg2 String Formatting","language":"Python","severity":"Critical","cwe":"CWE-89","source_lines":[1],"flow_lines":[1,4,5],"sink_lines":[5],"vulnerable_code":"import psycopg2\n\ndef fetch_iot_device_telemetry(device_mac, time_range):\n    conn = psycopg2.connect(\"dbname=iot_platform user=admin password=secret\")\n    cursor = conn.cursor()\n    query = \"SELECT timestamp, temperature, humidity, battery_level FROM sensor_data WHERE device_mac='%s' AND timestamp > '%s' ORDER BY timestamp DESC\" % (device_mac, time_range)\n    cursor.execute(query)\n    telemetry = cursor.fetchall()\n    cursor.close()\n    conn.close()\n    return telemetry","explanation":"The function parameters device_mac and time_range are directly interpolated into the SQL query using Python's % string formatting operator without sanitization or parameterization. This allows an attacker to inject arbitrary SQL commands that will be executed by cursor.execute().","remediation":"The fix replaces unsafe Python string formatting (% operator) with psycopg2's built-in parameterized query mechanism. By passing user inputs as a tuple in the second argument to cursor.execute(), psycopg2 properly escapes and quotes the values, preventing any injected SQL from being interpreted as code.","secure_code":"import psycopg2\n\ndef fetch_iot_device_telemetry(device_mac, time_range):\n    conn = psycopg2.connect(\"dbname=iot_platform user=admin password=secret\")\n    cursor = conn.cursor()\n    query = \"SELECT timestamp, temperature, humidity, battery_level FROM sensor_data WHERE device_mac=%s AND timestamp > %s ORDER BY timestamp DESC\"\n    cursor.execute(query, (device_mac, time_range))\n    telemetry = cursor.fetchall()\n    cursor.close()\n    conn.close()\n    return telemetry"}