Michael Mabin wrote:
I laugh in the face of danger. Give me a use case for an exploit.
.... (see below)
On Fri, Sep 26, 2008 at 8:05 AM, Tino Wildenhain <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:Michael Mabin wrote: cursor.execute(""" SELECT titem.object_id, titem.tag_id FROM tagging_taggeditem titem WHERE titem.object_id IN (%s) """ % ','.join([str(x) for x in [1,5,9]]) Nope. That would be dangerous! -> google for SQL injection Tino
You are not seeing it? Do you know where the OP actually gets his list data from in the first place? You might get away with str(int(x)) as an easy "sanetizer" Tino
smime.p7s
Description: S/MIME Cryptographic Signature
-- http://mail.python.org/mailman/listinfo/python-list
