how to replace and string in a "SELECT ... IN ()"
Michael Mabin
d3vvnull at gmail.com
Fri Sep 26 10:38:49 EDT 2008
I laugh in the face of danger.
Give me a use case for an exploit.
On Fri, Sep 26, 2008 at 8:05 AM, Tino Wildenhain <tino at wildenhain.de> wrote:
> Michael Mabin wrote:
>
>> cursor.execute("""
>> SELECT titem.object_id, titem.tag_id
>> FROM tagging_taggeditem titem
>> WHERE titem.object_id IN (%s)
>> """ % ','.join([str(x) for x in [1,5,9]])
>>
>
> Nope. That would be dangerous! -> google for SQL injection
>
> Tino
>
--
| _ | * | _ |
| _ | _ | * |
| * | * | * |
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20080926/89ac5a35/attachment.html>
More information about the Python-list
mailing list