Hi, How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace("'", "''")
sql = 'SELECT privilege FROM staff WHERE ' + \
'username=\'%s\' AND password=\'%s\'' % (uname, digest)
res = self.oraDB.query(sql)
pw is the supplied password abd uname is the supplied password.
regards
--
http://mail.python.org/mailman/listinfo/python-list
