Python or PHP?
Peter Ammon
gershwin at splintermac.com
Sat Apr 23 21:08:04 EDT 2005
Leif K-Brooks wrote:
> John Bokma wrote:
>
>> my $sort = $cgi->param( "sort" );
>> my $query = "SELECT * FROM table WHERE id=? ORDER BY $sort";
>
>
> And the equivalent Python code:
>
>
> cursor.execute('SELECT * FROM table WHERE id=%%s ORDER BY %s' % sort,
> [some_id])
>
> You're right, of course, about being *able* to write code with SQL
> injection vulnerabilities in Python. But it's not even close to being as
> easy as in PHP.
I'm bewildered why you haven't mentioned magic quotes. A one line
change to the configuration file can render your PHP site almost
entirely immune to SQL injection attacks.
-Peter
--
Pull out a splinter to reply.
More information about the Python-list
mailing list