Code Room
Code reviewMediumcr-g021
Subject Sql injectionLevel Mid–Senior~25 minCommon in Security · Databases & SQL · Algorithms & data structures interviewsIndustries Software development

Question

Review this Python (Flask + psycopg2) endpoint.

What a strong answer looks like

Separate real bugs from style. Rank issues by severity, point at the root cause rather than the symptom, and suggest a concrete fix — specific and kind.

Talk through your review
Code to reviewpython
@app.route('/orders')def orders():    status = request.args.get('status', 'open')    sort = request.args.get('sort', 'created_at')    cur = db.cursor()    query = (        "SELECT id, total, created_at FROM orders "        "WHERE user_id = %s AND status = '" + status + "' "        "ORDER BY " + sort + " DESC"    )    cur.execute(query, (g.user_id,))    return jsonify(cur.fetchall())
Run or narrate your approach, then ask the coach.