Python or PHP?
Leif K-Brooks
eurleif at ecritters.biz
Sat Apr 23 17:40:47 EDT 2005
Mage wrote:
> However one of the worst cases is the sql injection attack. And sql
> injections must be handled neither by php nor by python but by the
> programmer.
But Python's DB-API (the standard way to connect to an SQL database from
Python) makes escaping SQL strings automatic. You can do this:
cursor.execute('UPDATE foo SET bar=%s WHERE id=%s', ["foo'bar", 123])
And "foo'bar" will be implicitly escaped to whatever is appropriate for
your database. How's that for Python handling SQL injection automatically?
More information about the Python-list
mailing list