[Tutor] Paramstyle/sql injection [was Python CGI Script]
Tim Johnson
tim at johnsons-web.com
Thu Sep 21 02:09:19 CEST 2006
* Danny Yoo <dyoo at hkn.eecs.berkeley.edu> [060920 10:41]:
> > query1 = """SELECT ABC FROM %s limit %s,%s"""\
> > % (self.tableid,self.rangeid1,self.rangeid2)
>
> Just as a note: please don't do this! *grin*
>
> Don't build query strings up like this: this is very prone to an SQL
> injection attack. See:
>
> http://mail.python.org/pipermail/tutor/2003-April/022010.html
I'm glad you brought this up:
Was talking to my partner about this. He's a perl programmer, and he
told me that (if I understood him correctly) that the programmer
is required by perl to use the 'prepare' function in the perl DBI prior
to sending a select statement.
If not done (again, if I understood him correctly) an exception is
thrown.
Is this correct?
Now I'm off to writting a little 'script nanny' to check my python
files for usage of Paramstyle.
thanks
tim
> which talks about this a bit more.
> _______________________________________________
> Tutor maillist - Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor
--
Tim Johnson <tim at johnsons-web.com>
http://www.alaska-internet-solutions.com
More information about the Tutor
mailing list