Am Wed, 20 Apr 2011 10:25:14 +0200 schrieb Thomas Rachel <nutznetz-0c1b6768-bfa9-48d5-a470-7603bd3aa...@spamschutz.glglgl.de>:
> It depends on what the program does with the input. If it treats it > appropriately, nothing can happen. Yes, but the question seems to be what is appropriately. > What do yu want with filters here? Not filtering is appropriate > against SQL injection, but escaping. Escaping in strings, filtering with numbers etc. > If Little Bobby Tables is really called "Robert'); DROP TABLE > STUDENTS; --", it is wrong to reject this string - instead, all > dangerous characters inside it must be quoted (in this case: ') and > then it does not harm at all. Well you forgot to escape ; and \ but this seems to slide into OT ;) Greets Basti
signature.asc
Description: PGP signature
-- http://mail.python.org/mailman/listinfo/python-list