CommencerCommencez gratuitement

Choosing the safe approach for user input

A pipeline accepts a product name from user configuration to filter a SQL query. Your colleague suggests two approaches:

Approach A uses params (Jinja rendering):

SQLExecuteQueryOperator(
    sql="SELECT * FROM orders WHERE product = '{{ params.product }}'",
    params={"product": user_input},
)

Approach B uses parameters (DB-level binding):

SQLExecuteQueryOperator(
    sql="SELECT * FROM orders WHERE product = $product",
    parameters={"product": user_input},
)

Which approach is injection-safe when the product name comes from untrusted user input?

Cet exercice fait partie du cours

<cours>Building Data Pipelines with Airflow</cours>
Voir le cours

Exercice interactif pratique

Transformez la théorie en action avec l’un de nos exercices interactifs

Commencer l’exercice