On 13/05/16 21:25, Neil D. Cerutti wrote:

>  From your tutorial:
> 
> query = '''INSERT INTO Address
>                 (First,Last,House,Street,District,Town,PostCode,Phone)
>                 Values ("%s","%s","%s","%s","%s","%s","%s","%s")''' %\
>                 (first, last, house, street, district, town, code, phone)
> 
> I am not an expert on SQLite, but that doesn't appear to be a wise way 
> to call SQL from Python. Are the double-quotes enough to protect you 
> from malicious data?

No, and if you carry on reading you will find:

------------------
A Word about Security

While the code above works and demonstrates how to call SQL from Python
it does have one significant flaw. Because I used string formatting to
construct the queries it is possible for a malicious user to enter some
rogue SQL code as input. This rogue code then gets inserted into the
query using the format string and is executed, potentially deleting
vital data. To avoid that, the execute() API call has an extra trick up
its sleeve....

-------------



-- 
Alan G
Author of the Learn to Program web site
http://www.alan-g.me.uk/
http://www.amazon.com/author/alan_gauld
Follow my photo-blog on Flickr at:
http://www.flickr.com/photos/alangauldphotos


_______________________________________________
Tutor maillist  -  Tutor@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor

Reply via email to