On Fri, Sep 26, 2008 at 3:04 PM, Michael Mabin <[EMAIL PROTECTED]> wrote:
> Doesn't it depend on where and why you intend to execute the code? > Obviously some SQL is more at risk for exploit when the input is from the > screen on a web page than if you were running parameterized code in a > controlled batch environment. Or if you were writing code generators (which > is what I happen to do) which won't be run by the general public. > > Incidentally, couldn't input field edits prevent such exploits prior to > interpolation? > There are ways to avoid SQL injection attacks, such as escaping all quotes in the text. We were simply pointing out that you have to be very careful when you add arbitrary strings into SQL statements. If you control everything going into the statement, you shouldn't have to worry about this.
-- http://mail.python.org/mailman/listinfo/python-list
