David Bear wrote:
>>Steve Holden wrote:
>
>
>>Fredrik Lundh wrote:
>>
>>>Frank Millman wrote:
>>>
>>>
>>>
Each of the API's includes the capability of passing commands in the
form of 'string + parameters' directly into the database. This means
that the data values are never embedded i
David Bear wrote:
>
> The statement above can cause relief or pain. Letting the DBAPI handle
> proper string escapes, formating, etc., is a big relief. However, I am
> still wondering what happens under the covers. If I have a string '1\n'
> that I've read from some source and I really intend on i
>Steve Holden wrote:
> Fredrik Lundh wrote:
>> Frank Millman wrote:
>>
>>
>>>Each of the API's includes the capability of passing commands in the
>>>form of 'string + parameters' directly into the database. This means
>>>that the data values are never embedded into the SQL command at all,
>>>an
Fredrik Lundh wrote:
> David Bear wrote:
>
>> Being new to pgdb, I'm finding there are lot of things I don't understand
>> when I read the PEP and the sparse documentation on pgdb.
>>
>> I was hoping there would be a module that would properly escape longer
>> text strings to prevent sql injectio
Fredrik Lundh wrote:
> Frank Millman wrote:
>
>
>>Each of the API's includes the capability of passing commands in the
>>form of 'string + parameters' directly into the database. This means
>>that the data values are never embedded into the SQL command at all,
>>and therefore there is no possibil
Frank Millman wrote:
> Each of the API's includes the capability of passing commands in the
> form of 'string + parameters' directly into the database. This means
> that the data values are never embedded into the SQL command at all,
> and therefore there is no possibility of injection attacks.
a
David Bear wrote:
> Being new to pgdb, I'm finding there are lot of things I don't understand
> when I read the PEP and the sparse documentation on pgdb.
>
> I was hoping there would be a module that would properly escape longer text
> strings to prevent sql injection -- and other things just make
David Bear <[EMAIL PROTECTED]> wrote:
>Being new to pgdb, I'm finding there are lot of things I don't understand
>when I read the PEP and the sparse documentation on pgdb.
>
>I was hoping there would be a module that would properly escape longer text
>strings to prevent sql injection -- and other
Fredrik Lundh wrote:
>> web searchs for 'python sql escape string' yeild way too many results.
>>
>> Any pointers would be greatly appreciated.
>
> for x in range(100):
>print "USE PARAMETERS TO PASS VALUES TO THE DATABASE"
for an example, see "listing 2" in the following article:
h
David Bear wrote:
> Being new to pgdb, I'm finding there are lot of things I don't understand
> when I read the PEP and the sparse documentation on pgdb.
>
> I was hoping there would be a module that would properly escape longer text
> strings to prevent sql injection -- and other things just make
10 matches
Mail list logo
