[BangPypers] Drupal vs. Django
Vijay Ramachandran
vijay750 at gmail.com
Tue Nov 17 11:33:51 CET 2009
On Mon, Nov 16, 2009 at 4:30 PM, <bangpypers-request at python.org> wrote:
> From: Noufal Ibrahim <noufal at gmail.com>
> Message-ID:
> <9963e56e0911160144m44417d94k2f70c2e75759d812 at mail.gmail.com>
> Content-Type: text/plain; charset=windows-1252
>
> It's perfectly possible and equally easy to write SQL injection
> exploitable code in Python if you're using the raw DBAPI
>
>
That's not quite accurate. The accepted defense against sql injection is
using prepared statements, and DBAPI strongly encourages one to use prepared
statements instead of constructing the sql statement using string
manipulation. Unfortunately, the placeholder MySQLdb uses is "%s", which is
easy to confuse with string interpolation. The sqlite3 dbapi, for instance,
uses '?', which is much clearer.
Vijay
--
http://www.wisdomtap.com/
More information about the BangPypers
mailing list