Code Room
Code reviewHardcr-g437
Subject Sql injectionLevel Senior–Staff~22 minCommon in Security · Databases & SQL interviewsIndustries Software development

Question

Review this Python user-search endpoint using parameterized SQL.

What a strong answer looks like

Separate real bugs from style. Rank issues by severity, point at the root cause rather than the symptom, and suggest a concrete fix — specific and kind.

Talk through your review
Code to reviewpython
@app.route('/admin/users/search')@require_admindef search_users():    term = request.args.get('q', '')    conn = get_db()    cur = conn.cursor()    pattern = '%' + term + '%'    cur.execute(        "SELECT id, email FROM users WHERE email LIKE %s ORDER BY email LIMIT 50",        (pattern,),    )    rows = cur.fetchall()    return jsonify([{'id': r[0], 'email': r[1]} for r in rows])
Run or narrate your approach, then ask the coach.