On Mon, Nov 16, 2009 at 4:30 PM, <[email protected]> wrote:
> From: Noufal Ibrahim <[email protected]> > Message-ID: > <[email protected]> > Content-Type: text/plain; charset=windows-1252 > > It's perfectly possible and equally easy to write SQL injection > exploitable code in Python if you're using the raw DBAPI > > That's not quite accurate. The accepted defense against sql injection is using prepared statements, and DBAPI strongly encourages one to use prepared statements instead of constructing the sql statement using string manipulation. Unfortunately, the placeholder MySQLdb uses is "%s", which is easy to confuse with string interpolation. The sqlite3 dbapi, for instance, uses '?', which is much clearer. Vijay -- http://www.wisdomtap.com/ _______________________________________________ BangPypers mailing list [email protected] http://mail.python.org/mailman/listinfo/bangpypers
