Am 20.04.2011 09:34, schrieb Bastian Ballmann:
No system is totally secure. You can _always_ poke around if a program uses user input.
It depends on what the program does with the input. If it treats it appropriately, nothing can happen.
For example one can totally own a complete computer by nothing more than a single sql injection attack even if the programmer implemented some filters.
What do yu want with filters here? Not filtering is appropriate against SQL injection, but escaping.
If Little Bobby Tables is really called "Robert'); DROP TABLE STUDENTS; --", it is wrong to reject this string - instead, all dangerous characters inside it must be quoted (in this case: ') and then it does not harm at all.
> Now would you say one shouldnt use sql
databases cause of that? ;)
No, just beware of what can happen and use the dbs and its functions appropriately.
Thomas -- http://mail.python.org/mailman/listinfo/python-list
