Choosing the safe approach for user input
A pipeline accepts a product name from user configuration to filter a SQL query. Your colleague suggests two approaches:
Approach A uses params (Jinja rendering):
SQLExecuteQueryOperator(
sql="SELECT * FROM orders WHERE product = '{{ params.product }}'",
params={"product": user_input},
)
Approach B uses parameters (DB-level binding):
SQLExecuteQueryOperator(
sql="SELECT * FROM orders WHERE product = $product",
parameters={"product": user_input},
)
Which approach is injection-safe when the product name comes from untrusted user input?
This exercise is part of the course
Building Data Pipelines with Airflow
Hands-on interactive exercise
Turn theory into action with one of our interactive exercises
Start Exercise