mod_python
Carsten Haese
carsten at uniqsys.com
Sun Nov 6 20:00:17 EST 2005
On Sun, 06 Nov 2005 23:29:01 -0000, Jim Segrave wrote
> In article <1131249790.713791.186740 at g14g2000cwa.googlegroups.com>,
> Little <cookiecandyred at yahoo.com> wrote:
> > cursor.execute(
> > """INSERT INTO InventoryList (artist, title, rating) VALUES (%s,
> >%s, %s)""", (z_Name, z_rating, z_price) )
>
> I hate to ask, but what happens when I enter "a, b, c);DROP
> DATABASE;" as the entry for z_name? (Or some similar attempt to
> close the SQL statement and start a new one). I think you want to
> google for "SQL injection" and think about sanitising user input a bit.
The OP is using execute() with a parameter tuple. This is the correct method
for executing a parametrized query, and it is immune to SQL injection as long
as the DB module implements parameter substitution in a sane way.
Best regards,
Carsten Haese.
More information about the Python-list
mailing list