Just To Be Sure...MySQL
Aahz
aahz at pythoncraft.com
Sat May 22 16:34:44 EDT 2010
In article <mailman.534.1274544403.32709.python-list at python.org>,
Christian Heimes <lists at cheimes.de> wrote:
>
>You *MUST NOT* use string formatting for SQL commands unless you
>carefully quote and validate the strings. Otherwise your SQL application
>is vulnerable to SQL injection attacks. SQL injections are one of the
>most common and devastating attacks for web applications these days.
>
>Example:
>"Select * from Users where uid = %s" % uid
>uid = "1; DROP Table users;"
>
>Guess what happens here ...
http://xkcd.com/327/
(Just in case there are newbies here.)
--
Aahz (aahz at pythoncraft.com) <*> http://www.pythoncraft.com/
f u cn rd ths, u cn gt a gd jb n nx prgrmmng.
More information about the Python-list
mailing list