[DB-SIG] Re: PyFormat and execute

Stuart Bishop stuart at stuartbishop.net
Wed Feb 18 18:28:01 EST 2004

Hash: SHA1

On 12/02/2004, at 7:35 AM, Holger Duerer wrote:

>>>>>> "Andy" == Andy Todd <andy47 at halfcooked.com> writes:
>  [...]
>     Andy> Yes, and yes to your last two questions. It is in the DB-API
>     Andy> specification, its just not incredibly obvious to the
>     Andy> newcomer.
>     Andy> To that end I created a page on the Python Wiki and made
>     Andy> this FAQ number 1;
>     Andy> http://www.python.org/cgi-bin/moinmoin/DbApiFaq
>     Andy> If anyone wants to improve my wording feel free.
> Yes, it is shocking that this feature is not more widely known.  Most
> examples of DB access code that I have seen use the literal approach
> of adding the value in the SQL statement itself -- this is of course a
> SQL injection attack waiting to happen for all those people who just
> copy such code...

However, it does make a great interview question. This mistake is
not just common to Python - I've seen it in Perl, PHP and even Java
(where building your own SQL is more cumbersome, and the examples
much more likely to do the right thing). I think it has something
to do with people not understanding phrases like 'bind variables'
or 'parameter binding', so they just proceed to use the
bits they do understand that seem to work.

> All example programs should only show the execute method with
> arguments provided separately.

Preferably with one of the arguments containing a single quote,
or better yet a unicode string containing a single quote.
Same goes for HTTP server side code like CGI, where this
problem is much more prevalent and much more damaging in general.

- --  
Stuart Bishop <stuart at stuartbishop.net>
Version: GnuPG v1.2.3 (Darwin)


More information about the DB-SIG mailing list