Python cross-site scripting exploits?
Fredrik Lundh
fredrik at pythonware.com
Sun May 26 08:42:42 EDT 2002
Ian Bicking wrote:
> SQL quoting is obnoxious, because you often will construct a SQL statement
> from multiple sources, some of which come from the user (and are
> \-quoted) and some which to not. If you double-quote the user's input,
> you will again get spurious \'s (since input like "joe'; arbitrary sql"
> will become "joe\'; arbitrary sql" and then "'joe\\\'; arbitrary sql'")
>
> Perl's tainting is better, but simple thoughtfulness is sufficient,
> IMHO. And thorough quoting.
fwiw, a Swedish tabloid recently managed to log in as privileged
intraweb users on a whole bunch of commercial sites simply by
typing carefully selected SQL fragments into ordinary login boxes.
no real hacking required; just type some boilerplate SQL into
the password field, and you're in.
(some days, I wonder if programmer certification isn't such a
bad idea, after all...)
</F>
More information about the Python-list
mailing list