Hi,
> -----Oorspronkelijk bericht-----
> Van: Ian Bicking [mailto:[EMAIL PROTECTED]
> Verzonden: donderdag 30 december 2004 22:47
<snap very interesting info, usefull to me at least !>
> > """
> > WHERE userName='%s';
> > """
> > % (userName)
> >
> > merely smells , but
>
> More than smells, it is also insecure. When using the raw DB
> API, you should do:
>
> cursor.execute("... WHERE userName = %s", (userName,))
>
> Note the lack of '. The database driver will do the proper
> quoting for you, and protect against SQL injection. Lots of
> people aren't aware of this functionality, so I thought it
> should be noted for the benefit of anyone listening who is
> accessing databases this way.
Good point, and very good you point this out ! (*ugh* I knew this of course
but left it out for didactic reasons :-))) *ugh/blush*)
Also to the benefit of people listening: I used DocumentTemplate for a long
time with unnecessary and unelegant home-brewn 'sql-escape' methods in
python-code until a colleague told me that DocumentTemplate has a modifier
for this , e.g. (in the dtml / dsql file ) :
WHERE userName = '<dtml-var "user.userName" sql_quote>'
(the word sql_quote is a DTML keyword , namely one of a few string-modifiers
doing the escaping (and preventing sql-injection attacks !) for you )
--
Thijs
-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Webware-discuss mailing list
Webware-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/webware-discuss
