Louis Zirkel wrote:
It's been my experience that using bind type variables (:name or :value) with a preceeding : doesn't work properly. I spent a good day or two tracking down many issues with getting bind variables to work. I ended up determining that you can use the normal string syntax (i.e. %s or %d) in place of the actual bind variable names and it works...
However, if you don't do this very carefully, you can become vulnerable to "SQL injection". Many people are not aware of that danger. See for instance http://shiflett.org/articles/security-corner-apr2004 (talks about PHP, but the same problem exists with Python of course).
That's one of the benefits of bind variables. So you should either use bind variables or very carefully check the content of variables and escape certain characters before inserting them into the string.
Java programmers can make use of the PreparedStatement object to prevent SQL hacking. I wonder whether something like that could be made available in PyGreSQL as well.
-- Christoph _______________________________________________ PyGreSQL mailing list [email protected] http://mailman.vex.net/mailman/listinfo/pygresql
