Why Is Escaping Data Considered So Magical?
Robert Kern
robert.kern at gmail.com
Sat Jun 26 03:39:03 EDT 2010
On 2010-06-25 19:49 , Lawrence D'Oliveiro wrote:
> In message<slrni297ec.1m5.grahn+nntp at frailea.sa.invalid>, Jorgen Grahn
> wrote:
>
>> I thought it was well-known that the solution is *not* to try to
>> sanitize the input -- it's to switch to an interface which doesn't
>> involve generating an intermediate executable. In the Python example,
>> that would be something like os.popen2(['zcat', '-f', '--', untrusted]).
>
> That’s what I mean. Why do people consider input sanitization so hard?
It's not hard per se; it's just repetitive, prone to the occasional mistake,
and, frankly, really boring. When faced with things like that, we do what we do
everywhere else in programming: wrap up the repetitive bits into a simpler
library API and use that everywhere. Wrapping up the escaping code into
SQLString is a step in that direction. However, the standard SQL
parameterization in most of the DB protocols or SQLAlchemy's query construction
removes even more repetition and unnecessary typing. There's just no point in
not using it.
--
Robert Kern
"I have come to believe that the whole world is an enigma, a harmless enigma
that is made terrible by our own mad attempt to interpret it as though it had
an underlying truth."
-- Umberto Eco
More information about the Python-list
mailing list