Re: [BangPypers] Drupal vs. Django
On Mon, Nov 16, 2009 at 4:30 PM, bangpypers-requ...@python.org wrote: From: Noufal Ibrahim nou...@gmail.com Message-ID: 9963e56e0911160144m44417d94k2f70c2e75759d...@mail.gmail.com Content-Type: text/plain; charset=windows-1252 It's perfectly possible and equally easy to write SQL injection exploitable code in Python if you're using the raw DBAPI That's not quite accurate. The accepted defense against sql injection is using prepared statements, and DBAPI strongly encourages one to use prepared statements instead of constructing the sql statement using string manipulation. Unfortunately, the placeholder MySQLdb uses is %s, which is easy to confuse with string interpolation. The sqlite3 dbapi, for instance, uses '?', which is much clearer. Vijay -- http://www.wisdomtap.com/ ___ BangPypers mailing list BangPypers@python.org http://mail.python.org/mailman/listinfo/bangpypers
Re: [BangPypers] Drupal vs. Django
On Mon, Nov 16, 2009 at 12:42 PM, Ramdas S ram...@gmail.com wrote: On Mon, Nov 16, 2009 at 12:34 PM, Noufal Ibrahim nou...@gmail.com wrote: We had a thread a while ago inspired by the fossee.in site. I came across this http://birdhouse.org/blog/2009/11/11/drupal-or-django/ which is relevant to the issue and which might interest people who have to make a decision. Nice link, I have been reading it plus comments since you posted it. I found this gem somewhere down the page. Some attack vectors, like SQL injection (and other input sanitization exploits) are pretty much eliminated by Python’s DB API and Django’s ORM and Form validation tools. This is not to say you couldn’t create an exploit in a Django app, but that you’d have to be trying to on purpose. I remember I had made a similar point in that thread when it came to Python vs PHP on security. This is exactly the point I wanted to make. We've had a thread last 2 days on django-users with our own Kenneth raising some observations, even that's worth following. Nice link Thanks ~noufal http://nibrahim.net.in ___ BangPypers mailing list BangPypers@python.org http://mail.python.org/mailman/listinfo/bangpypers -- Ramdas S +91 9342 583 065 ___ BangPypers mailing list BangPypers@python.org http://mail.python.org/mailman/listinfo/bangpypers -- --Anand ___ BangPypers mailing list BangPypers@python.org http://mail.python.org/mailman/listinfo/bangpypers
Re: [BangPypers] Drupal vs. Django
On Mon, Nov 16, 2009 at 12:34 PM, Noufal Ibrahim nou...@gmail.com wrote: We had a thread a while ago inspired by the fossee.in site. I came across this http://birdhouse.org/blog/2009/11/11/drupal-or-django/ which is relevant to the issue and which might interest people who have to make a decision. We've had a thread last 2 days on django-users with our own Kenneth raising some observations, even that's worth following. Nice link Thanks ~noufal http://nibrahim.net.in ___ BangPypers mailing list BangPypers@python.org http://mail.python.org/mailman/listinfo/bangpypers -- Ramdas S +91 9342 583 065 ___ BangPypers mailing list BangPypers@python.org http://mail.python.org/mailman/listinfo/bangpypers