so you wouldn't object then to something like '.... in (%)' % ','.join([str_edit_for_exploit(x) for x in aList])
if str_edit_for_exploit applied security edits? On Fri, Sep 26, 2008 at 2:28 PM, Benjamin Kaplan <[EMAIL PROTECTED]>wrote: > > > On Fri, Sep 26, 2008 at 3:04 PM, Michael Mabin <[EMAIL PROTECTED]> wrote: > >> Doesn't it depend on where and why you intend to execute the code? >> Obviously some SQL is more at risk for exploit when the input is from the >> screen on a web page than if you were running parameterized code in a >> controlled batch environment. Or if you were writing code generators (which >> is what I happen to do) which won't be run by the general public. >> >> Incidentally, couldn't input field edits prevent such exploits prior to >> interpolation? >> > > There are ways to avoid SQL injection attacks, such as escaping all quotes > in the text. We were simply pointing out that you have to be very careful > when you add arbitrary strings into SQL statements. If you control > everything going into the statement, you shouldn't have to worry about this. > > > -- | _ | * | _ | | _ | _ | * | | * | * | * |
-- http://mail.python.org/mailman/listinfo/python-list
