In article <[email protected]>, Christian Heimes <[email protected]> wrote: > >You *MUST NOT* use string formatting for SQL commands unless you >carefully quote and validate the strings. Otherwise your SQL application >is vulnerable to SQL injection attacks. SQL injections are one of the >most common and devastating attacks for web applications these days. > >Example: >"Select * from Users where uid = %s" % uid >uid = "1; DROP Table users;" > >Guess what happens here ...
http://xkcd.com/327/ (Just in case there are newbies here.) -- Aahz ([email protected]) <*> http://www.pythoncraft.com/ f u cn rd ths, u cn gt a gd jb n nx prgrmmng. -- http://mail.python.org/mailman/listinfo/python-list
