i Don't get why it makes trouble
Stephen Hansen
apt.shansen at gmail.com
Fri Aug 14 00:59:19 EDT 2009
>
> Currently I am working on just a prototype to show what is possible to
> be done to get me some fundings for my future work. after that I will
> get over to an SQL Alchemy. It's ORM will take over this business for
> me.
>
> A lot of people a not aware of SQL injection. My friend from college
> asked me and a couple of other guys for Pen testing of an website. His
> SQL injection mistake made him an epic fail.
>
You don't really need to go the full ORM route to do this safely --
constructing SQL from user input is not only wrong from a security point of
view, but it's actually just harder to do it that way then use the
mechanisms provided in PEP-249 compliant DB-API modules. Life's easier if
you use parameterized queries, really :)
You're probably connecting to your database via a DB-API compatible library,
I assume? Most are. If so, it's simply a matter of:
cur = con.cursor()
cur.execute("SELECT name FROM blah WHERE id = ? AND zone = ?", (my_id,
my_zone))
All DB-API compliant modules support this, though some mark the parameters
differently. That's qmark, some alternates are numeric (:1, :2, etc), some
named (:id, :zone), some format (%s, %d, etc), some pyformat, (%(id)d,
%(zone)s).
The module should provide a 'paramstyle' stating what is supported.
--S
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20090813/a34f8fad/attachment-0001.html>
More information about the Python-list
mailing list