Secure Python code - volunteers for code review?
Gerhard Haering
gh at ghaering.de
Wed Oct 13 10:53:54 EDT 2004
On Tue, Oct 12, 2004 at 10:25:58PM -0700, Cliff Wells wrote:
> [Josiah Carlson requests a security review of his code storing/receiving
> email data from a PostgreSQL database]
>
> A more straightforward way is to simply use prepare() religiously.
> This also avoids the headache of having to decode your data if you
> use a different program to access it (such as psql or mysql).
There's no prepare() in the DB-API. Letting the database module do the
quoting should be enough to stay clear of SQL injection attacks.
And this his code does, from what I can see. The SQL stuff is hard to
read for me, though. Maybe the database access code should be factored
out more and put in a class of its own.
-- Gerhard
More information about the Python-list
mailing list