[DB-SIG] In praise of pyformat
Carl Karsten
carl at personnelware.com
Tue Aug 14 19:27:19 CEST 2007
Mike Meyer wrote:
> On Mon, 13 Aug 2007 19:11:15 -0500 Carl Karsten <carl at personnelware.com> wrote:
>> Mike Meyer wrote:
>>> While I think your order is a little exaggerated, I'll merely point
>>> out that it's a common thing to see when you're writing code that
>>> writes code. SQL pretty much sucks for this, but Python isn't to bad -
>>> and it's one of the most powerful programming technics available - I
>>> seem to use it in every other application. So I'd expect it to become
>>> more common, not less.
>> about a million to one seems realistic to me.
>
> In my experience, its more like every other application that needs
> this.
>
>> How often does an identifier come from an untrusted source?
>
> Um, how about in every web-based app that has a real search facility?
> One that lets the user specify which column(s) they want to check, or
> that can search multiple tables? I seem to be involved in working on
> one of those every few years: an SGML document search engine, a user
> database search engine, a webmail client, a workflow management
> system, and a software change tracking system are what I can recall
> now.
hmm, I think I see it. Even if you provide a list of valid identifiers to the
browser, there is nothing to prevent that being replaced.
Got the URL of one of these so I an examine it?
Carl K
More information about the DB-SIG
mailing list