Tor Erik Soenvisen wrote:
How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace(', '')
sql = 'SELECT privilege FROM staff
Hi,
How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace(', '')
sql = 'SELECT privilege FROM staff WHERE ' + \
Tor Erik Soenvisen [EMAIL PROTECTED] writes:
# Protect against SQL injection by escaping quotes
Don't ever do that, safe or not. Use query parameters instead.
That's what they're for.
--
http://mail.python.org/mailman/listinfo/python-list
Paul Rubin http://phr.cx@NOSPAM.invalid writes:
Tor Erik Soenvisen [EMAIL PROTECTED] writes:
# Protect against SQL injection by escaping quotes
Don't ever do that, safe or not. Use query parameters instead.
That's what they're for.
More specifically: They've been debugged for just
Ben Finney wrote:
More specifically: They've been debugged for just these kinds of
purposes
in a well-designed database, the SQL parser never sees the parameter values,
so *injection* attacks are simply not possible.
/F
--
http://mail.python.org/mailman/listinfo/python-list
Tor Erik Soenvisen wrote:
Hi,
How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace(', '')
sql = 'SELECT privilege FROM
In article [EMAIL PROTECTED],
Tor Erik Soenvisen [EMAIL PROTECTED] wrote:
How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace(', '')