[Python-3000] DB API SQL injection issue

Nicko van Someren nicko at nicko.org
Tue May 1 22:38:26 CEST 2007

On 1 May 2007, at 20:14, Jason Garber wrote:
> In PEP 249 (Python Database API Specification v2.0), there is a
> paragraph about cursors that reads:
> .execute(operation[,parameters])
>    Prepare and execute a database operation (query or
>    command).  Parameters may be provided as sequence or
>    mapping and will be bound to variables in the operation.
>    Variables are specified in a database-specific notation
>    (see the module's paramstyle attribute for details). [5]
> I propose that the second parameter to execute() is changed to be a
> required parameter to prevent accidental SQL injection  
> vulnerabilities.

How do you propose to deal with the SQL commands for which there is  
no need to do any parameter replacement?  This is not at all  
uncommon; would you expect to make people type cur.execute("SELECT  
DISTINCT zip_code FROM customer_addresses", None) or somesuch?


More information about the Python-3000 mailing list