On 21 Dec 2005, at 01:37, Silas Snider wrote:
Do they just quote the string? Or do they use a 'bind variable'
type idea?
Example:
If an attacker typed
' or 'a'='a
into a password input field for instance, would the ORM properly
prevent the attempted attack from working?
They escape the string in the manner appropriate to the database
backend being used. In the above case if you were using MySQL your
string would become:
"\' or \'a\'=\'a"
Which is perfectly safe. You have to work pretty hard if you want to
open up a SQL injection using Django!
Cheers,
Simon