Code Room
Code reviewMediumcr-g256
Subject Sql injectionLevel Mid–Senior~25 minCommon in Security · Databases & SQL interviewsIndustries Software development

Question

Review this Python listing query that parameterizes the filter but not the sort.

What a strong answer looks like

Separate real bugs from style. Rank issues by severity, point at the root cause rather than the symptom, and suggest a concrete fix — specific and kind.

Talk through your review
Code to reviewpython
def list_products(category: str, sort_col: str, direction: str, cur):    cur.execute(        "SELECT * FROM products WHERE category = %s "        f"ORDER BY {sort_col} {direction}",        (category,),    )    return cur.fetchall()# sort_col / direction come straight from query-string params
Run or narrate your approach, then ask the coach.