Alan Gauld via Tutor wrote:

> On 13/05/16 21:25, Neil D. Cerutti wrote:
> 
>>  From your tutorial:
>> 
>> query = '''INSERT INTO Address
>>                 (First,Last,House,Street,District,Town,PostCode,Phone)
>>                 Values ("%s","%s","%s","%s","%s","%s","%s","%s")''' %\
>>                 (first, last, house, street, district, town, code, phone)
>> 
>> I am not an expert on SQLite, but that doesn't appear to be a wise way
>> to call SQL from Python. Are the double-quotes enough to protect you
>> from malicious data?
> 
> No, and if you carry on reading you will find:
> 
> ------------------
> A Word about Security
> 
> While the code above works and demonstrates how to call SQL from Python
> it does have one significant flaw. Because I used string formatting to
> construct the queries it is possible for a malicious user to enter some
> rogue SQL code as input. This rogue code then gets inserted into the
> query using the format string and is executed, potentially deleting
> vital data. To avoid that, the execute() API call has an extra trick up
> its sleeve....
> 
> -------------

I have to say it: giving a newbie a bad idea plus broken example code -- and 
then follow up with a warning will hardly ever work out the way you'd hope.

_______________________________________________
Tutor maillist  -  Tutor@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor

Reply via email to