Dear folks,
Carsten Haese wrote:
On Tue, 2007-08-14 at 10:18 -0400, Mike Meyer wrote:
How often does an identifier come from an untrusted source?
Um, how about in every web-based app that has a real search facility?
One that lets the user specify which column(s) they want to check, or
that can search multiple tables?
Even if you take an identifier directly from an untrusted source, nobody
is forcing you to stick it into a query unchecked.
The better question is why is anybody letting him.
It is the worst form of programming to use unchecked data.
It is garbage like that that make so many systems insecure and the Net into
a mass of botnets.
So is he arguing that he needs tools to check & validate the values before
using them as table or column names?
Anyway, I don't doubt that you often need to put unchecked identifiers
from an untrusted source into queries, but I think you're in a very
small minority compared to the general population of database
application developers. I don't think that the DB-API spec should be
weighed down by requiring a feature of such little general use, but
you're welcome to write a reusable toolkit module that lives outside of
and on top of DB-API. Of course you'll need to code some per-database
logic that defines whether the database accepts delimited identifiers
and what the delimiter is, but you only need to do this once for every
database you plan on supporting.
Keep in mind that this is just my opinion, and I don't speak for the
entire DB-SIG community. It's your right to post a proposal and ask for
a vote.
Sorry, if I seem a little harsh, but this is apparently yet another of
my hot buttons.
Thank you all,
Art Protin
_______________________________________________
DB-SIG maillist - DB-SIG@python.org
http://mail.python.org/mailman/listinfo/db-sig
