**Cam** @cam@efdn.club · Sep 24, 2025, 15:21

**Cam** @cam@efdn.club · Sep 24, 2025, 15:21

Cam @cam@efdn.club

why are f strings vulnerable to SQL injection but the % operator (for strings, not modulo) isn’t?

**Big Clod, Tiny 🎈** @wallhackio@cat.family · 2025-09-24T16:52:54Z

Big Clod, Tiny 🎈 @wallhackio@cat.family

@cam where did you hear this?

**Cam** @cam@efdn.club · Sep 24, 2025, 19:23

**Cam** @cam@efdn.club · Sep 24, 2025, 19:23

Cam @cam@efdn.club

@wallhackio idk where I first heard it I’ve just heard that python f strings are vulnerable to sql injection but string substitution with % isn’t

**Big Clod, Tiny 🎈** @wallhackio@cat.family · Sep 24, 2025, 19:29

**Big Clod, Tiny 🎈** @wallhackio@cat.family · Sep 24, 2025, 19:29

Big Clod, Tiny 🎈 @wallhackio@cat.family

@cam that sounds wrong to me but i am not a python ninja so there could be some subtle shit i am not aware of

**Cam** @cam@efdn.club · Sep 24, 2025, 19:51

**Cam** @cam@efdn.club · Sep 24, 2025, 19:51

Cam @cam@efdn.club

@wallhackio to be fair the best practice is to use prepared statements anyway