However one of the worst cases is the sql injection attack. And sql injections must be handled neither by php nor by python but by the programmer.
But Python's DB-API (the standard way to connect to an SQL database from Python) makes escaping SQL strings automatic. You can do this:
cursor.execute('UPDATE foo SET bar=%s WHERE id=%s', ["foo'bar", 123])And "foo'bar" will be implicitly escaped to whatever is appropriate for your database. How's that for Python handling SQL injection automatically?
--
http://mail.python.org/mailman/listinfo/python-list
