On Saturday, February 05, 2011 01:20:12 pm Ed Leafe wrote:
> On Feb 5, 2011, at 3:46 PM, John Fabiani wrote:
> > As far as SQL injections I do
> > not see the difference between using python's '%s' passing the complete
> > sql statement and passing the '?' with the variable.
>
> They are as different as night and day. Adrian gave you the best-known
> (and most humorous!) example of SQL injection, but there are many others.
> By parameterizing the SQL and passing the params, you rely on the
> adapter's string escaping mechanism, which will be much more secure than
> anything you could create yourself. Your example looks like you're simply
> using Python's string formatting, which does no escaping at all, and is
> thus the most insecure way to do things.
>
>
>
> -- Ed Leafe
You don't remember this? (years old now):
(keyChar in """,./<>?;':"[]\\{}|`~!@#$%%^&*()_=+""")
So my point was clean up the code before it's used. I didn't finish and
should have but needed to leave yesterday.
Johnf
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/dabo-users
Searchable Archives: http://leafe.com/archives/search/dabo-users
This message:
http://leafe.com/archives/byMID/[email protected]
