do not pass hardcoded credentials

Docs > Code Analysis > Static Analysis Rules > do not pass hardcoded credentials

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: python-security/sql-server-security-credentials

Language: Python

Severity: Error

Category: Security

Description

Hardcoding database credentials directly in your source code is a security risk as anyone with access to your source code and see your credentials. It’s strongly recommended to use a different approach that limits the exposure of your credentials.

Non-Compliant Code Examples

import psycopg2

conn = psycopg2.connect(database="db_name",
                        host="db_host",
                        user="db_user",
                        password="db_pass", # hardcoded password
                        port="db_port")

import mysql.connector

connection = mysql.connector.connect(
  host=host,
  user=user,
  passwd=f"password", # hardcoded password
  database=database,
  charset='utf8mb4',
  use_pure=True,
  connection_timeout=5)

import mysql.connector

connection = mysql.connector.connect(
  host=host,
  user=user,
  passwd="password", # hardcoded password
  database=database,
  charset='utf8mb4',
  use_pure=True,
  connection_timeout=5)

Compliant Code Examples

import mysql.connector

connection = mysql.connector.connect(
  host=host,
  user=user,
  passwd=password,
  database=database,
  charset='utf8mb4',
  use_pure=True,
  connection_timeout=5)

import mysql.connector

connection = mysql.connector.another_function(
  host=host,
  user=user,
  passwd=f"password",
  database=database,
  charset='utf8mb4',
  use_pure=True,
  connection_timeout=5)