Databases

Third-party Python package module — hdbcli. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — ibm_db. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

ldap3 is a pure-Python LDAP client. Connection.search() accepts a search_filter — LDAP injection sink when the filter is built from user input without escaping. Use ldap3.utils.conv.escape_filter_chars() for safe construction.

MySQLdb (mysqlclient) is a C-extension MySQL driver. Cursor.execute() is an SQL injection sink when the query is built without %s placeholders.

Third-party Python package module — playhouse. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — pony. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

psycopg2 is the canonical PostgreSQL driver for Python. Cursor.execute() and executemany() are SQL injection sinks when the query is built by string concatenation or f-strings. Use %s placeholders for safe binding.

PyMongo is the official MongoDB driver for Python. Collection methods accept filter dicts; NoSQL injection occurs when filter dicts are built from user-supplied JSON that lets attackers inject $where, $regex, or operator keys.

PyMySQL is a pure-Python MySQL driver. Cursor.execute() accepts a raw query and parameter tuple — injection sink when the query is built from user input without the %s placeholder.

redis-py is the de-facto Redis client for Python. Most commands are typed and safe. The main sinks are eval() and evalsha() which run Lua scripts — injection-sensitive when the script body is user-controlled.

SQLAlchemy is the most-used Python ORM. The text() wrapper and raw execute() are SQL injection sinks when the SQL is built from user input. Core and ORM query APIs with bound parameters are safe.

The sqlite3 module wraps the SQLite C library. cursor.execute() and executemany() accept raw SQL strings and are injection sinks when the SQL is built from user input. Use the ? placeholder form for safe parameter binding.