Mike Meyer wrote: > On Mon, 13 Aug 2007 19:11:15 -0500 Carl Karsten <[EMAIL PROTECTED]> wrote: >> Mike Meyer wrote: >>> While I think your order is a little exaggerated, I'll merely point >>> out that it's a common thing to see when you're writing code that >>> writes code. SQL pretty much sucks for this, but Python isn't to bad - >>> and it's one of the most powerful programming technics available - I >>> seem to use it in every other application. So I'd expect it to become >>> more common, not less. >> about a million to one seems realistic to me. > > In my experience, its more like every other application that needs > this. > >> How often does an identifier come from an untrusted source? > > Um, how about in every web-based app that has a real search facility? > One that lets the user specify which column(s) they want to check, or > that can search multiple tables? I seem to be involved in working on > one of those every few years: an SGML document search engine, a user > database search engine, a webmail client, a workflow management > system, and a software change tracking system are what I can recall > now.
hmm, I think I see it. Even if you provide a list of valid identifiers to the browser, there is nothing to prevent that being replaced. Got the URL of one of these so I an examine it? Carl K _______________________________________________ DB-SIG maillist - DB-SIG@python.org http://mail.python.org/mailman/listinfo/db-sig
