Code Room
Code reviewHardcr-g558
Subject Security injection sql orderbyLevel Senior–Staff~20 minCommon in Security · Databases & SQL interviewsIndustries Software development

Question

Review this Python function that lists products with client-controlled sorting.

What a strong answer looks like

Separate real bugs from style. Rank issues by severity, point at the root cause rather than the symptom, and suggest a concrete fix — specific and kind.

Talk through your review
Code to reviewpython
def list_products(sort_col, direction):    # parameterized values are safe, but we also sort dynamically    sql = f"SELECT id, name, price FROM products ORDER BY {sort_col} {direction}"    cur.execute(sql, ())    return cur.fetchall() # called as list_products(request.args['sort'], request.args['dir'])
Run or narrate your approach, then ask the coach.