Protecting against SQL injection
Tor Erik Soenvisen
toreriks at hotmail.com
Tue Oct 24 03:43:43 EDT 2006
Hi,
How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace("'", "''")
sql = 'SELECT privilege FROM staff WHERE ' + \
'username=\'%s\' AND password=\'%s\'' % (uname, digest)
res = self.oraDB.query(sql)
pw is the supplied password abd uname is the supplied password.
regards
More information about the Python-list
mailing list