Hi, How safe is the following code against SQL injection:
# Get user privilege digest = sha.new(pw).hexdigest() # Protect against SQL injection by escaping quotes uname = uname.replace("'", "''") sql = 'SELECT privilege FROM staff WHERE ' + \ 'username=\'%s\' AND password=\'%s\'' % (uname, digest) res = self.oraDB.query(sql) pw is the supplied password abd uname is the supplied password. regards -- http://mail.python.org/mailman/listinfo/python-list