On Tue, Dec 1, 2020 at 4:34 PM Ivan "Rambius" Ivanov
<rambiusparkisan...@gmail.com> wrote:
>
> Hello,
>
> I want to store the hashes of strings in a database and I have
> problems generating the sql statements. I generate the hashes using
> hashlib and then convert it to base64 and I put the base64
> representation in the sql. Here is the code:
>
> sql = "insert into HASHES value ('" + ehash + "')"
>
Don't do this! DO NOT do this! Even if it might happen to work with a
base 64 encoded value, this is a terrible terrible bug just waiting to
happen. Instead, use *parameterized queries* and keep your SQL safe.
Concatenating arbitrary data into an SQL statement is one of the top
ten most common and dangerous flaws in application code. Just don't do
it.
ChrisA
--
https://mail.python.org/mailman/listinfo/python-list
