Dynamic (#77)

tests/dynamic_fixtures/python/sqli_negative.py

@@ -0,0 +1,18 @@
+"""SQL injection — negative fixture.
+
+Safe function: uses parameterized queries.
+Expected verdict: NotConfirmed (parameterized query prevents injection).
+"""
+import sqlite3
+
+
+def login(username):
+    """Safe login: parameterized query prevents SQL injection."""
+    conn = sqlite3.connect(":memory:")
+    conn.execute("CREATE TABLE users (id INTEGER, name TEXT)")
+    conn.execute("INSERT INTO users VALUES (1, 'alice')")
+    # Safe: parameterized query
+    rows = conn.execute("SELECT name FROM users WHERE name=?", (username,)).fetchall()
+    for row in rows:
+        print(row[0])
+    conn.close()