WP-A: A New URL Shortener
Thomas 'PointedEars' Lahn
PointedEars at web.de
Wed Apr 6 14:42:43 EDT 2016
Chris Angelico wrote:
> In other words, you are assuming that the string escaping *in the
> module* is buggy. Well, duh. This is exactly what I said about not
> having stupid bugs. The developer of a MySQL binding library should
> know the *entire* rules for escaping, and, duh, that's going to
> include escaping the backslash. So the escaped query would be
> something like:
>
> insert into some_table (some_column) values ("\\"");
> DROP TABLE some_table;
> --")
>
> which would be interpreted correctly by MySQL.
There is no way a version of a module can safely use an escaping mechanism
that handles all possible *future* cases. Further, there are escaping costs
on the client to be considered for *every* query.
So my recommendation, based on best current practice (OWASP), stands: Use
prepared statements or stored procedures and let the database do the job.
*Better be safe than sorry.* See xkcd.
Bonuses with prepared statements: Not only can the client skip the escaping,
but queries are faster if you have to do the same query just with different
parameters. And you can do things with prepared statements that you cannot
do in another way (for example, parameterized LIMIT [1]).
Bonus with stored procedures: You can do more complex tasks with less
overhead.
Off-topic --> EOD.
[1] <news:2193528.dSJ3Ry9s4d at PointedEars.de>
--
PointedEars
Twitter: @PointedEars2
Please do not cc me. / Bitte keine Kopien per E-Mail.
More information about the Python-list
mailing list