[DB-SIG] In praise of pyformat
Mike Meyer
mwm-keyword-dbsig.588a7d at mired.org
Wed Aug 15 16:38:26 CEST 2007
On Wed, 15 Aug 2007 10:30:38 +0200 "M.-A. Lemburg" <mal at egenix.com> wrote:
> On 2007-08-15 06:04, Mike Meyer wrote:
> >> Keep in mind that this is just my opinion, and I don't speak for the
> >> entire DB-SIG community. It's your right to post a proposal and ask for
> >> a vote.
> >
> > I posted a proposal. The total vote was -1....
>
> You can add another -1. We've been through these discussions many
> times before, so in theory you'd have to add all those votes
> as well :-)
Just to be clear, this proposal was for adding functionality to the
dbapi to help people who need to build queries that include untrusted
data that isn't values. It was unrelated to parameter binding.
I didn't see any previous discussion of such. Can you provide
pointer(s)?
> Another nice side-effect is the prevention of SQL injection attacks
> due to the fact that SQL commands and values are separated, much
> like code and data is separated by todays OSes for applications.
Never forget that one person's code is someone else's data. The python
interpreter is code to us and data to the CPU; our python code is the
interpreters data; and our string data is SQL code. The problem I'm
trying to deal with comes about when the code is built from data
that's not necessarily trustworthy. The design goals espoused in the
discussion of parameter binding - most notably "It's better for the
module authors than user to write the code" and "don't build queries
with string substitution" would seem to indicate that this should be
done by the db modules, but the dbapi has no tools for doing so.
<mike
--
Mike Meyer <mwm at mired.org> http://www.mired.org/consulting.html
Independent Network/Unix/Perforce consultant, email for more information.
More information about the DB-SIG
mailing list