Hi Dennis,
yes, we are going to filter the input and the parameterized queries.
But I always prefer to have more than one layer of security.
And users won't be using any sql queries, they will just input text.
Does the django configuration always need to have full access to the DB?
Thanks,
Isaac
2013/1/14 Dennis Lee Bieber <wlfr...@ix.netcom.com>
> On Sun, 13 Jan 2013 09:05:51 -0800 (PST), Isaac Perez
> <isaac.perez.mon...@gmail.com> declaimed the following in
> gmane.comp.python.django.user:
>
> > What I intend to achieve is that if in any occasion we've got a sql
> > injection for whatever the reason, the access to the DB from the app form
> > will be as limited as possible.
> >
>
> You do THAT by not allowing user input directly into the SQL in the
> first place. ALL proper DB-API compliant database adapters use
> parameterized queries, and will properly escape and wrap the parameter
> data to prevent injection attacks.
>
> And, so far as I can tell, Django's ORM is even less susceptible
> than direct DB-API to injection attacks, since besides passing user data
> through the parameter system, it uses Python syntax to access the
> relation attributes ("table columns").
>
> If you are building raw SQL in which the user specifies both the
> column and the value for that column, you need to design the interface
> so that the column is never entered as text by the user, but is selected
> from a pre-defined list of columns. This ensures that column (and even
> table) names are clean for the building of the schema related part of
> the SQL statement; the data values are, of course, then passed using the
> DB-API parameter system and not "hand inserted" into the SQL.
>
> If you follow these two criteria:
> 1) always use parameterized queries to pass user entered data
> 2) never use user entered text for schema entities when building dynamic
> queries
> you will not be subject to an SQL injection attack.
> --
> Wulfraed Dennis Lee Bieber AF6VN
> wlfr...@ix.netcom.com HTTP://wlfraed.home.netcom.com/
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to
> django-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-users?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
