Re: Python or PHP?
- From: Steve Holden <steve@xxxxxxxxxxxxx>
- Date: Sun, 24 Apr 2005 19:03:39 -0400
Leif Biberg Kristensen wrote:
Leif K-Brooks skrev:
But Python's DB-API (the standard way to connect to an SQL database from Python) makes escaping SQL strings automatic. You can do this:
cursor.execute('UPDATE foo SET bar=%s WHERE id=%s', ["foo'bar", 123])
So. I've been writing SQL queries in Python like this, using PostgreSQL and psycopg:
cursor.execute("select * from foo where bar=%s" % baz)
Is that wrong, and how should I have been supposed to know that this is bad syntax? No doc I have seen actually has told me so.
It's *wrong* for some value of "wrong" - it does potentially introduce a SQL injection vulnerability into your code.
Suppose I provide as input into the baz variable
1; drop table foo
Your statement then becomes
select * from foo where bar=1; drop table foo
which is clearly not such a good idea. More sophisticated attackes are possible, but this gives you the idea.
regards Steve -- Steve Holden +1 703 861 4237 +1 800 494 3119 Holden Web LLC http://www.holdenweb.com/ Python Web Programming http://pydish.holdenweb.com/
.
- Follow-Ups:
- Re: Python or PHP?
- From: Alan Little
- Re: Python or PHP?
- References:
- Python or PHP?
- From: Lad
- Re: Python or PHP?
- From: Mage
- Re: Python or PHP?
- From: Tim Tyler
- Re: Python or PHP?
- From: Mage
- Re: Python or PHP?
- From: Leif K-Brooks
- Re: Python or PHP?
- From: Leif Biberg Kristensen
- Python or PHP?
- Prev by Date: Re: Python or PHP?
- Next by Date: Re: Python or PHP?
- Previous by thread: Re: Python or PHP?
- Next by thread: Re: Python or PHP?
- Index(es):
Relevant Pages
|
|
