Re: Protecting against SQL injection
Tor Erik Soenvisen wrote:
How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace(', '')
sql = 'SELECT privilege FROM staff WHERE ' + \
'username=\'%s\' AND password=\'%s\'' % (uname, digest)
res = self.oraDB.query(sql)
This is definitely *not* safe.
For instance, set uname = r\' or 1=1 --
You must replace the backslash with a double backslash as well.
But as already suggested, you should better use query parameters.
-- Christoph
--
http://mail.python.org/mailman/listinfo/python-list
Protecting against SQL injection
Hi,
How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace(', '')
sql = 'SELECT privilege FROM staff WHERE ' + \
'username=\'%s\' AND password=\'%s\'' % (uname, digest)
res = self.oraDB.query(sql)
pw is the supplied password abd uname is the supplied password.
regards
--
http://mail.python.org/mailman/listinfo/python-list
Re: Protecting against SQL injection
Tor Erik Soenvisen [EMAIL PROTECTED] writes: # Protect against SQL injection by escaping quotes Don't ever do that, safe or not. Use query parameters instead. That's what they're for. -- http://mail.python.org/mailman/listinfo/python-list
Re: Protecting against SQL injection
Paul Rubin http://phr.cx@NOSPAM.invalid writes: Tor Erik Soenvisen [EMAIL PROTECTED] writes: # Protect against SQL injection by escaping quotes Don't ever do that, safe or not. Use query parameters instead. That's what they're for. More specifically: They've been debugged for just these kinds of purposes, and every time you code an ad-hoc escaping-and-formatting SQL query, you're inviting all the bugs that have been found and removed before. -- \ Welchen Teil von 'Gestalt' verstehen Sie nicht? [What part of | `\ 'gestalt' don't you understand?] -- Karsten M. Self | _o__) | Ben Finney -- http://mail.python.org/mailman/listinfo/python-list
Re: Protecting against SQL injection
Ben Finney wrote: More specifically: They've been debugged for just these kinds of purposes in a well-designed database, the SQL parser never sees the parameter values, so *injection* attacks are simply not possible. /F -- http://mail.python.org/mailman/listinfo/python-list
Re: Protecting against SQL injection
Tor Erik Soenvisen wrote:
Hi,
How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace(', '')
sql = 'SELECT privilege FROM staff WHERE ' + \
'username=\'%s\' AND password=\'%s\'' % (uname, digest)
res = self.oraDB.query(sql)
pw is the supplied password abd uname is the supplied password.
Slightly safer than not doing anything to the user-supplied inputs, but
nowehere near as safe as it needs to be. Use parameterized queries!
regards
Steve
--
Steve Holden +44 150 684 7255 +1 800 494 3119
Holden Web LLC/Ltd http://www.holdenweb.com
Skype: holdenweb http://holdenweb.blogspot.com
Recent Ramblings http://del.icio.us/steve.holden
--
http://mail.python.org/mailman/listinfo/python-list
Re: Protecting against SQL injection
In article [EMAIL PROTECTED],
Tor Erik Soenvisen [EMAIL PROTECTED] wrote:
How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace(', '')
sql = 'SELECT privilege FROM staff WHERE ' + \
'username=\'%s\' AND password=\'%s\'' % (uname, digest)
res = self.oraDB.query(sql)
Do yourself a favor at least and switch to using double-quotes for the
string. I also recommend switching to triple-quotes to avoid the
backslash continuation.
--
Aahz ([EMAIL PROTECTED]) * http://www.pythoncraft.com/
If you don't know what your program is supposed to do, you'd better not
start writing it. --Dijkstra
--
http://mail.python.org/mailman/listinfo/python-list
