On Feb 5, 2011, at 3:46 PM, John Fabiani wrote:
> As far as SQL injections I do
> not see the difference between using python's '%s' passing the complete sql
> statement and passing the '?' with the variable.
They are as different as night and day. Adrian gave you the best-known
(and most humorous!) example of SQL injection, but there are many others. By
parameterizing the SQL and passing the params, you rely on the adapter's string
escaping mechanism, which will be much more secure than anything you could
create yourself. Your example looks like you're simply using Python's string
formatting, which does no escaping at all, and is thus the most insecure way to
do things.
-- Ed Leafe
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/dabo-users
Searchable Archives: http://leafe.com/archives/search/dabo-users
This message:
http://leafe.com/archives/byMID/[email protected]
