In article <mailman.534.1274544403.32709.python-l...@python.org>, Christian Heimes <li...@cheimes.de> wrote: > >You *MUST NOT* use string formatting for SQL commands unless you >carefully quote and validate the strings. Otherwise your SQL application >is vulnerable to SQL injection attacks. SQL injections are one of the >most common and devastating attacks for web applications these days. > >Example: >"Select * from Users where uid = %s" % uid >uid = "1; DROP Table users;" > >Guess what happens here ...
http://xkcd.com/327/ (Just in case there are newbies here.) -- Aahz (a...@pythoncraft.com) <*> http://www.pythoncraft.com/ f u cn rd ths, u cn gt a gd jb n nx prgrmmng. -- http://mail.python.org/mailman/listinfo/python-list
