Why Is Escaping Data Considered So Magical?
Jorgen Grahn
grahn+nntp at snipabacken.se
Sun Jun 27 15:17:54 EDT 2010
On Sat, 2010-06-26, Lawrence D'Oliveiro wrote:
> In message <slrni297ec.1m5.grahn+nntp at frailea.sa.invalid>, Jorgen Grahn
> wrote:
>
>> I thought it was well-known that the solution is *not* to try to
>> sanitize the input -- it's to switch to an interface which doesn't
>> involve generating an intermediate executable. In the Python example,
>> that would be something like os.popen2(['zcat', '-f', '--', untrusted]).
>
> That???s what I mean. Why do people consider input sanitization so hard?
I'm not sure you understood me correctly, because I advocate
*not* doing input sanitization. Hard or not -- I don't want to know,
because I don't want to do it.
/Jorgen
--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
More information about the Python-list
mailing list