Leif K-Brooks skrev:
But Python's DB-API (the standard way to connect to an SQL database from Python) makes escaping SQL strings automatic. You can do this:
cursor.execute('UPDATE foo SET bar=%s WHERE id=%s', ["foo'bar", 123])
So. I've been writing SQL queries in Python like this, using PostgreSQL and psycopg:
cursor.execute("select * from foo where bar=%s" % baz)
Is that wrong, and how should I have been supposed to know that this is bad syntax? No doc I have seen actually has told me so.
It's *wrong* for some value of "wrong" - it does potentially introduce a SQL injection vulnerability into your code.
Suppose I provide as input into the baz variable
1; drop table foo
Your statement then becomes
select * from foo where bar=1; drop table foo
which is clearly not such a good idea. More sophisticated attackes are possible, but this gives you the idea.
regards Steve -- Steve Holden +1 703 861 4237 +1 800 494 3119 Holden Web LLC http://www.holdenweb.com/ Python Web Programming http://pydish.holdenweb.com/
-- http://mail.python.org/mailman/listinfo/python-list
