how to replace and string in a "SELECT ... IN ()"
D'Arcy J.M. Cain
darcy at druid.net
Fri Sep 26 15:21:58 EDT 2008
On Fri, 26 Sep 2008 14:04:35 -0500
"Michael Mabin" <d3vvnull at gmail.com> wrote:
> Doesn't it depend on where and why you intend to execute the code?
> Obviously some SQL is more at risk for exploit when the input is from the
> screen on a web page than if you were running parameterized code in a
> controlled batch environment. Or if you were writing code generators (which
> is what I happen to do) which won't be run by the general public.
>
> Incidentally, couldn't input field edits prevent such exploits prior to
> interpolation?
I encourage my competitors to program that way.
--
D'Arcy J.M. Cain <darcy at druid.net> | Democracy is three wolves
http://www.druid.net/darcy/ | and a sheep voting on
+1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
More information about the Python-list
mailing list