Just To Be Sure...MySQL
Adam Tauno Williams
awilliam at whitemice.org
Sat May 22 12:09:18 EDT 2010
On Sat, 2010-05-22 at 18:06 +0200, Christian Heimes wrote:
> > A lister recently responded to my post concerning mysl commands of the
> > following type:
> >
> > cursor.execute('insert into foo values (%s, %s)' % (bar, something))
> >
> > stating that I need to eliminate the "%" to prevent injection attacks, thus:
> >
> > cursor.execute('insert into foo values (%s, %s)', (bar, something))
> >
> > My question is simply this: Is that advice good for *all* mysql commands? Or
> > are there some where the "%" is necessary and a comma would fail? I need to
> > update lots of mysql commands. If I can do it without harmful consequences,
> > I'll do it across the board. Otherwise, I'll have to test each one.
> > TIA,
> > beno
>
> You *MUST NOT* use string formatting for SQL commands unless you
+1
And they are hideous code.
Use an ORM: <http://freshmeat.net/projects/sqlalchemy>
> carefully quote and validate the strings. Otherwise your SQL application
> is vulnerable to SQL injection attacks. SQL injections are one of the
> most common and devastating attacks for web applications these days.
--
Adam Tauno Williams <awilliam at whitemice.org> LPIC-1, Novell CLA
<http://www.whitemiceconsulting.com>
OpenGroupware, Cyrus IMAPd, Postfix, OpenLDAP, Samba
More information about the Python-list
mailing list