Re: [Sqlalchemy-users] SQLObject and SQLAlchemy

Kevin Dangoor Sat, 25 Mar 2006 03:59:00 -0800

SQLObject uses validators to ensure that the data coming in for each
type of column is valid for that column. Generally speaking, I think
that SQLObject is safe from injection attacks, but everyone is
definitely in agreement that use bind parameters would be better.


Kevin

On 3/25/06, Michael Bayer <[EMAIL PROTECTED]> wrote:
> Well I wouldnt panic, it quotes literals so a SQL injection attack is
> pretty unlikely in most if not all cases...I should not have said
> that this was a major issue with it.  im not sure how it handles
> numeric literals and such but I would imagine its similarly careful
> about stuff like that as well.   To me, having the application layer
> quote everything is more fragile than bind params but in reality its
> probably the same security-wise.
>
>
> On Mar 25, 2006, at 1:42 AM, David Geller wrote:
>
> > I hate to get off on this tangent here, but I wasn't aware
> > SQLObject was vulnerable to sql injection - is this really true?
> > (perhaps an example would be useful, or a link......)


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
Sqlalchemy-users mailing list
Sqlalchemy-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlalchemy-users

Re: [Sqlalchemy-users] SQLObject and SQLAlchemy

Reply via email to