Secure Python code - volunteers for code review?
Josiah Carlson
jcarlson at uci.edu
Wed Oct 13 14:21:28 EDT 2004
> > Thankfully, other languages are able to translate to/from hex *wink*.
>
> Well, paint me ignorant, but I'm unaware of any feature in psql or mysql
> (or any other tool, for that matter) that translates hex data to a
> human-readable form without explicitly wrapping each field in your query
> in a function call (and this precludes queries such as "SELECT * FROM
> foo"). I'm not certain what you mean by "other languages" as I was
> referring to the command line tools shipped with PostgreSQL and MySQL
> respectively.
What I meant by other languages, were languages like php, perl, tcl,
lisp, C, C++, Java, or any other language one would be using data from
SQL databases.
> Anyone who does a lot of database work inevitably finds themselves using
> the stock tools to review/revise data, so IMO, encoding the data is far
> too tedious when there is an existing method for providing safe queries
> that doesn't incur this overhead.
Mayhaps we should look at the context that the post was in: a Python
newsgroup/mailing list. Since encoding and decoding hex is available in
Python, at least in this application, it seems sufficient. It does
suffer from the pre and post-processing requirements that have been
discussed, but prepare only saves you the post-processing.
Whether or not the original poster will be spending their time using
console SQL commands to audit data, I don't know. Which one is better
for a particular application may depend on that application. Prepare is
likely the best solution for most cases.
- Josiah
More information about the Python-list
mailing list