[DB-SIG] In praise of pyformat
Carl Karsten
carl at personnelware.com
Wed Aug 15 19:35:55 CEST 2007
Mike Meyer wrote:
> On Wed, 15 Aug 2007 09:44:56 -0400 Art Protin <aprotin at research.att.com> wrote:
>> Carsten Haese wrote:
>>> On Tue, 2007-08-14 at 10:18 -0400, Mike Meyer wrote:
>>>>> How often does an identifier come from an untrusted source?
>>>> Um, how about in every web-based app that has a real search facility?
>>>> One that lets the user specify which column(s) they want to check, or
>>>> that can search multiple tables?
>>> Even if you take an identifier directly from an untrusted source, nobody
>>> is forcing you to stick it into a query unchecked.
>
>> The better question is why is anybody letting him.
>> It is the worst form of programming to use unchecked data.
>> So is he arguing that he needs tools to check & validate the values before
>> using them as table or column names?
>
> Not quite. I'm asking for a tool that will safely insert identifiers
> from an untrusted source into a query, much the same way that
> parameter binding lets me insert values from an untrusted source.
>
I would like to point out a big difference between the two: parameters are a
feature of the db engine's API that has to be dealt with in the python dbapi
module in order to be used. validating identifier names does not require
anything in dbapi. This distinction may be a reason against adding additional
functionality into dbapi.
Carl K
More information about the DB-SIG
mailing list