On Tue, 25 Apr 2006 19:45:04 +0400 Oleg Broytmann <[EMAIL PROTECTED]> wrote:
> On Tue, Apr 25, 2006 at 04:24:04PM +0200, Grzesiek Slusarek wrote:
> > Hi all. In my apps I'm using select with clase="my_column like
> > ('%s%')" %(myvariable). I'm wondering does SqlObject can escape
> > values that I put in select (to pretend e.g. SqlInjection).
>
> No, SQLObject doesn't do such protection.
>
> Oleg.
Actually, the sqlrepr function does it...
I usually use the db connection.
soclass.connection.sqlrepr('some string you want escaped')
Be aware that this will return a string containing 'some string you
want escaped' (including the single quotes), so you don't have to quote
it inside your clase string.
sqlrepr can be used with booleans, ints, strings, and a bunch of other
things.
Jason
signature.asc
Description: PGP signature
