Server-side programming
Neil Hodgson
nhodgson at bigpond.net.au
Sun Sep 21 18:09:55 EDT 2003
Alan Kennedy:
> AFAIK, the most effective way to prevent such attacks is to disable
> any quote characters that may be present in the password, so that they
> are treated as a part of the password string, not as delimiters in the
> SQL query string. For example
> ...
> Does anyone know of a more effective approach to preventing SQL
> injection attacks?
Separate your parameters from the SQL and rely on the database to perform
the substitution like this:
c.execute( \
"select * from users where uname=:1 and pw=:2", \
(username, password))
This may also improve performance by allowing the database to cache the
preparation of the statement as it stays constant.
Neil
More information about the Python-list
mailing list