sql escaping module - Frank Millman Followup
Steve Holden
steve at holdenweb.com
Fri Dec 9 03:07:32 EST 2005
David Bear wrote:
>>Steve Holden wrote:
>
>
>>Fredrik Lundh wrote:
>>
>>>Frank Millman wrote:
>>>
>>>
>>>
>>>>Each of the API's includes the capability of passing commands in the
>>>>form of 'string + parameters' directly into the database. This means
>>>>that the data values are never embedded into the SQL command at all,
>>>>and therefore there is no possibility of injection attacks.
>>>
>>>
>
> My news server didn't get Franks initial post to the group, so I'm glad that
> Steve included it in his followup.
>
> The statement above can cause relief or pain. Letting the DBAPI handle
> proper string escapes, formating, etc., is a big relief. However, I am
> still wondering what happens under the covers. If I have a string '1\n'
> that I've read from some source and I really intend on inserting it into
> the data base as a number 1, if the tape column it goes into is of type int
> or num or float, will the DBAPI really know what to do with the newline?
>
>
>
Yes. If you read the DB API documentation
(http://www.python.org/peps/pep-0249.html) you will see that there's a
section on "Type Objects and Constructors". It's those that ensure a
value will be coerced into the required form if possible.
regards
Steve
--
Steve Holden +44 150 684 7255 +1 800 494 3119
Holden Web LLC www.holdenweb.com
PyCon TX 2006 www.python.org/pycon/
More information about the Python-list
mailing list