I am not understanding well you question... Anthony is more knowledgeful
then me about that, but to me how db.executesql() work is a tool do sql
"injection" in a controlled manner... So is it dangerous the answer is yes
and no, it depends of how you use it.
For example, if you do a form and in a field you recieve "DROP DB;" and you
do :
db.executesql('%s' % form.vars.field)
db.commit()
This is really dangerous, because a malicious user of your form could
inject any SQL command and you pass it directly into db.executesql().
I know that web2py is protected form SQL injection if you use high level
form tools (SQLFORM, crud, SQLFORM.grid, SQLFORM.smartgrid), but I don't
know if there any way to protect from SQL injection using db.executesql().
Maybe Anthony can tell us more about it.
I am far from an expert in security, but you can do test to verify these
assumptions they all trivial to do.
:)
Richard
On Fri, Nov 20, 2015 at 3:08 AM, Pierre <[email protected]> wrote:
> placeholders seems to work as long as the argument to be passed to query
> aren't a table_name
>
> Is the "style of code" in test() dangerous ? (sql intrusion)
>
> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
