sql escaping module - Frank Millman Followup

David Bear david.bear at asu.edu
Thu Dec 8 16:56:26 EST 2005


>Steve Holden wrote:

> Fredrik Lundh wrote:
>> Frank Millman wrote:
>> 
>> 
>>>Each of the API's includes the capability of passing commands in the
>>>form of 'string + parameters' directly into the database. This means
>>>that the data values are never embedded into the SQL command at all,
>>>and therefore there is no possibility of injection attacks.
>> 
>> 

My news server didn't get Franks initial post to the group, so I'm glad that
Steve included it in his followup.

The statement above can cause relief or pain. Letting the DBAPI handle
proper string escapes, formating, etc., is a big relief. However, I am
still wondering what happens under the covers. If I have a string '1\n'
that I've read from some source and I really intend on inserting it into
the data base as a number 1, if the tape column it goes into is of type int
or num or float, will the DBAPI really know what to do with the newline?



-- 
David Bear
-- let me buy your intellectual property, I want to own your thoughts --



More information about the Python-list mailing list