[Tutor] [OT] Secure coding guidelines
Kent Johnson
kent37 at tds.net
Tue Oct 13 20:31:54 CEST 2009
On Tue, Oct 13, 2009 at 11:49 AM, Serdar Tumgoren <zstumgoren at gmail.com> wrote:
>> In reference to this tip, my question is why?
>
>> - don't use string formatting to create SQL statements - use the
>> two-argument form of execute() to pass args as a sequence
>>
>
> SQL injection is the primary reason:
>
> http://en.wikipedia.org/wiki/SQL_injection
And the classic xkcd:
http://xkcd.com/327/
I'm not sure about this, but I think there is also a possible
performance boost if you are executing the same SQL with different
parameters; if the parameters are not part of the SQL then there is
some pre-processing that can be cached and re-used.
Kent
More information about the Tutor
mailing list