Web App like Google
Graham Fawcett
graham.fawcett at gmail.com
Tue Jul 12 13:07:37 EDT 2005
In translating natural language to SQL, be sure you're not introducing
opportunities for SQL injection attacks. Code like
sql = 'SELECT %s FROM %s' % (this, that)
is considered dangerous, because a well-crafted value for "that" can be
used to, e.g., delete rows from your tables, run system commands, etc.
You can save a lot of worry by using a database account with read-only
privileges, but you still have to be careful. My advice is to read up
on "sql injection" before going too public with your code.
Graham
More information about the Python-list
mailing list