Protecting against SQL injection
Steve Holden
steve at holdenweb.com
Tue Oct 24 07:31:09 EDT 2006
Tor Erik Soenvisen wrote:
> Hi,
>
> How safe is the following code against SQL injection:
>
> # Get user privilege
> digest = sha.new(pw).hexdigest()
> # Protect against SQL injection by escaping quotes
> uname = uname.replace("'", "''")
> sql = 'SELECT privilege FROM staff WHERE ' + \
> 'username=\'%s\' AND password=\'%s\'' % (uname, digest)
> res = self.oraDB.query(sql)
>
> pw is the supplied password abd uname is the supplied password.
>
Slightly safer than not doing anything to the user-supplied inputs, but
nowehere near as safe as it needs to be. Use parameterized queries!
regards
Steve
--
Steve Holden +44 150 684 7255 +1 800 494 3119
Holden Web LLC/Ltd http://www.holdenweb.com
Skype: holdenweb http://holdenweb.blogspot.com
Recent Ramblings http://del.icio.us/steve.holden
More information about the Python-list
mailing list