On Mon, 2004-06-21 at 12:36, Marc Saric wrote: > I am working on a small Db-project which provides an Webware-based > HTML-interface to a Postgres-database.
> Forms are managed with help of FormKit. > Although this is only for Intranet-use, I would like to add a > Validator, > which prevents SQL-injection on Db-queries. > Has anyone tried to write one or an advice, where to look or how to > tackle this problem? Hi Marc, Instead of validating the input, consider simply escaping all potentially dangerous characters. PostgreSQL conveniently provides a function to do this, so all the hard work is done. If you're using the psycopg adapter, the function is called 'QuotedString'. You simply do: import psycopg s = get_raw_user_input() s = psycopg.QuotedString(s) Now you can use 's' safely in a query. -- Jason D. Hildebrand T: 204 775 1212 E: [EMAIL PROTECTED] ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
