how to replace and string in a "SELECT ... IN ()"
Tino Wildenhain
tino at wildenhain.de
Fri Sep 26 11:13:58 EDT 2008
Michael Mabin wrote:
> I laugh in the face of danger.
>
> Give me a use case for an exploit.
.... (see below)
>
> On Fri, Sep 26, 2008 at 8:05 AM, Tino Wildenhain <tino at wildenhain.de
> <mailto:tino at wildenhain.de>> wrote:
>
> Michael Mabin wrote:
>
> cursor.execute("""
> SELECT titem.object_id, titem.tag_id
> FROM tagging_taggeditem titem
> WHERE titem.object_id IN (%s)
> """ % ','.join([str(x) for x in [1,5,9]])
>
>
> Nope. That would be dangerous! -> google for SQL injection
>
> Tino
You are not seeing it? Do you know where the
OP actually gets his list data from in the
first place?
You might get away with
str(int(x))
as an easy "sanetizer"
Tino
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-list/attachments/20080926/a3c27d4a/attachment-0001.bin>
More information about the Python-list
mailing list