Yes, you SQL would be trivial to manipulate via SQL injection. Not only do you need to validate each piece of data submitted by a user, you need to escape all the wildcard characters that your database uses. If the text string supplied by a user has quotes or parens or wildcard characters, the text could be interpreted as SQL and that is what you must avoid.
Kee Nethery -- http://mail.python.org/mailman/listinfo/python-list
