Why Is Escaping Data Considered So Magical?
Michael Torrie
torriem at gmail.com
Wed Jun 30 00:11:16 EDT 2010
On 06/29/2010 06:26 PM, Lawrence D'Oliveiro wrote:
>> I'm not sure you understood me correctly, because I advocate
>> *not* doing input sanitization. Hard or not -- I don't want to know,
>> because I don't want to do it.
>
> But no-one has yet managed to come up with an alternative that involves less
> work.
Your case is still not persuasive.
How is using the DB API's placeholders and parameterization more work?
It's the same amount of keystrokes, perhaps even less. You would just
be substituting the API's parameter placeholders for Python's. In fact
with Psycopg2 and the mysql python db apis, it's almost a matter of
simply removing the "%" and putting in a comma, turning python's string
substitution into a method call. And you can leave out the quotes
around where the variables go. If I have to sanitize every input, I
have to do it on each and every field on each and every form action.
With the DB API doing the work I just do it once, in one place. Is this
not easier that manually escaping everything and then embedding it in
the query string?
I've not used sqlalchemy, but it looks similarly easy.
More information about the Python-list
mailing list