Protecting against SQL injection
Aahz
aahz at pythoncraft.com
Tue Oct 24 09:52:55 EDT 2006
In article <Xns986662F736DD5toreriknpolarno at 129.242.5.222>,
Tor Erik Soenvisen <toreriks at hotmail.com> wrote:
>
>How safe is the following code against SQL injection:
>
> # Get user privilege
> digest = sha.new(pw).hexdigest()
> # Protect against SQL injection by escaping quotes
> uname = uname.replace("'", "''")
> sql = 'SELECT privilege FROM staff WHERE ' + \
> 'username=\'%s\' AND password=\'%s\'' % (uname, digest)
> res = self.oraDB.query(sql)
Do yourself a favor at least and switch to using double-quotes for the
string. I also recommend switching to triple-quotes to avoid the
backslash continuation.
--
Aahz (aahz at pythoncraft.com) <*> http://www.pythoncraft.com/
"If you don't know what your program is supposed to do, you'd better not
start writing it." --Dijkstra
More information about the Python-list
mailing list