Secure Python code - volunteers for code review?
Cliff Wells
clifford.wells at comcast.net
Wed Oct 13 11:20:09 EDT 2004
On Wed, 2004-10-13 at 16:53 +0200, Gerhard Haering wrote:
> On Tue, Oct 12, 2004 at 10:25:58PM -0700, Cliff Wells wrote:
> > [Josiah Carlson requests a security review of his code storing/receiving
> > email data from a PostgreSQL database]
> >
> > A more straightforward way is to simply use prepare() religiously.
> > This also avoids the headache of having to decode your data if you
> > use a different program to access it (such as psql or mysql).
>
> There's no prepare() in the DB-API. Letting the database module do the
> quoting should be enough to stay clear of SQL injection attacks.
Ah, right. Too much language switching and not enough sleep (it's
8:00AM here and I haven't seen a bed yet) :P
--
Cliff Wells <clifford.wells at comcast.net>
More information about the Python-list
mailing list