Well I wouldnt panic, it quotes literals so a SQL injection attack is
pretty unlikely in most if not all cases...I should not have said
that this was a major issue with it. im not sure how it handles
numeric literals and such but I would imagine its similarly careful
about stuff like that as well. To me, having the application layer
quote everything is more fragile than bind params but in reality its
probably the same security-wise.
On Mar 25, 2006, at 1:42 AM, David Geller wrote:
I hate to get off on this tangent here, but I wasn't aware
SQLObject was vulnerable to sql injection - is this really true?
(perhaps an example would be useful, or a link......)
Thanks!
David
Michael Bayer wrote:
hi David -
I know that Jonathan continues to have strong opinions on this
matter. Personally, I think SQLObject is a perfectly good ORM that
should remain
in wide use. There is one very major issue with it, which is that
AFAIK
it doesnt use bind parameters which leaves it open to SQL injection
attacks. It seems Ian seeks to fix that in SQLObject2. But
otherwise, it
...
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Sqlalchemy-users mailing list
Sqlalchemy-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlalchemy-users
