Which approach correctly prevents SQL injection in this Python database query?
Example
# Option A
cursor.execute("SELECT * FROM users WHERE email = '" + email + "'")
# Option B
cursor.execute("SELECT * FROM users WHERE email = %s", (email,))
# Option C
safe_email = email.replace("'", "''")
cursor.execute(f"SELECT * FROM users WHERE email = '{safe_email}'")
Tuesday, May 26, 2026 · A new challenge drops every day