how to replace and string in a "SELECT ... IN ()"
Michael Mabin
d3vvnull at gmail.com
Fri Sep 26 18:05:30 EDT 2008
so you wouldn't object then to something like '.... in (%)' %
','.join([str_edit_for_exploit(x) for x in aList])
if str_edit_for_exploit applied security edits?
On Fri, Sep 26, 2008 at 2:28 PM, Benjamin Kaplan
<benjamin.kaplan at case.edu>wrote:
>
>
> On Fri, Sep 26, 2008 at 3:04 PM, Michael Mabin <d3vvnull at gmail.com> wrote:
>
>> Doesn't it depend on where and why you intend to execute the code?
>> Obviously some SQL is more at risk for exploit when the input is from the
>> screen on a web page than if you were running parameterized code in a
>> controlled batch environment. Or if you were writing code generators (which
>> is what I happen to do) which won't be run by the general public.
>>
>> Incidentally, couldn't input field edits prevent such exploits prior to
>> interpolation?
>>
>
> There are ways to avoid SQL injection attacks, such as escaping all quotes
> in the text. We were simply pointing out that you have to be very careful
> when you add arbitrary strings into SQL statements. If you control
> everything going into the statement, you shouldn't have to worry about this.
>
>
>
--
| _ | * | _ |
| _ | _ | * |
| * | * | * |
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20080926/9399e350/attachment.html>
More information about the Python-list
mailing list