Tor Erik Soenvisen wrote: > How safe is the following code against SQL injection: > > # Get user privilege > digest = sha.new(pw).hexdigest() > # Protect against SQL injection by escaping quotes > uname = uname.replace("'", "''") > sql = 'SELECT privilege FROM staff WHERE ' + \ > 'username=\'%s\' AND password=\'%s\'' % (uname, digest) > res = self.oraDB.query(sql)
This is definitely *not* safe. For instance, set uname = r"\' or 1=1 --" You must replace the backslash with a double backslash as well. But as already suggested, you should better use query parameters. -- Christoph -- http://mail.python.org/mailman/listinfo/python-list