oops. i meant. '.... in (%s)' % ','.join([str_edit_for_exploit(x) for x in aList])
On Fri, Sep 26, 2008 at 5:05 PM, Michael Mabin <[EMAIL PROTECTED]> wrote: > so you wouldn't object then to something like '.... in (%)' % > ','.join([str_edit_for_exploit(x) for x in aList]) > > if str_edit_for_exploit applied security edits? > > On Fri, Sep 26, 2008 at 2:28 PM, Benjamin Kaplan <[EMAIL PROTECTED] > > wrote: > >> >> >> On Fri, Sep 26, 2008 at 3:04 PM, Michael Mabin <[EMAIL PROTECTED]>wrote: >> >>> Doesn't it depend on where and why you intend to execute the code? >>> Obviously some SQL is more at risk for exploit when the input is from the >>> screen on a web page than if you were running parameterized code in a >>> controlled batch environment. Or if you were writing code generators (which >>> is what I happen to do) which won't be run by the general public. >>> >>> Incidentally, couldn't input field edits prevent such exploits prior to >>> interpolation? >>> >> >> There are ways to avoid SQL injection attacks, such as escaping all quotes >> in the text. We were simply pointing out that you have to be very careful >> when you add arbitrary strings into SQL statements. If you control >> everything going into the statement, you shouldn't have to worry about this. >> >> >> > > > -- > | _ | * | _ | > | _ | _ | * | > | * | * | * | > -- | _ | * | _ | | _ | _ | * | | * | * | * |
-- http://mail.python.org/mailman/listinfo/python-list