sqlite3 - adding tables and rows via parameters
Vlastimil Brom
vlastimil.brom at gmail.com
Sat Apr 12 18:38:05 EDT 2008
2008/4/13, Steve Holden <steve at holdenweb.com>:
>
> Vlastimil Brom wrote:
> >
> ... are there any (security
> > ...) risks of using string interpolation for table and column names in
> the SQL commands? Or
> > are the values, where parametrization (with ? in sqlite3) is supported,
> > the only vulnerable part; whereas eg. an incorrect value of what should
> > be a name is safe (of course, apart from the unsuccessful command
> itself)?
> >
>
> Ultimately that depends where the table and column names come from. If
> they are user inputs then you are still vulnerable to SQL injection, but
> usually that's not the case when a query is being parameterized -
> usually it's values.
>
> As long as you consider the source of your data carefully you'll
> probably be OK.
>
>
> regards
> Steve
> --
> Steve Holden +1 571 484 6266 +1 800 494 3119
> Holden Web LLC http://www.holdenweb.com/
>
> Thanks again,
there shouldn't be any unsecure data I am now aware of; I just didn't want
to introduce possible problem sources,
if there would be some more appropriate solution available :-)
Regards,
Vlasta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20080413/34bdb1a5/attachment-0001.html>
More information about the Python-list
mailing list