Choosing the safe approach for user input
A pipeline accepts a product name from user configuration to filter a SQL query. Your colleague suggests two approaches:
Approach A uses params (Jinja rendering):
SQLExecuteQueryOperator(
sql="SELECT * FROM orders WHERE product = '{{ params.product }}'",
params={"product": user_input},
)
Approach B uses parameters (DB-level binding):
SQLExecuteQueryOperator(
sql="SELECT * FROM orders WHERE product = $product",
parameters={"product": user_input},
)
Which approach is injection-safe when the product name comes from untrusted user input?
Bu egzersiz, kursun bir parçasıdır
Building Data Pipelines with Airflow
Uygulamalı etkileşimli egzersiz
Teoriyi etkileşime dönüştürün, interaktif egzersizlerimizden biriyle
Egzersize başla