[Python-3000] DB API SQL injection issue
Nicko van Someren
nicko at nicko.org
Tue May 1 22:38:26 CEST 2007
On 1 May 2007, at 20:14, Jason Garber wrote:
> In PEP 249 (Python Database API Specification v2.0), there is a
> paragraph about cursors that reads:
>
> .execute(operation[,parameters])
> Prepare and execute a database operation (query or
> command). Parameters may be provided as sequence or
> mapping and will be bound to variables in the operation.
> Variables are specified in a database-specific notation
> (see the module's paramstyle attribute for details). [5]
>
> I propose that the second parameter to execute() is changed to be a
> required parameter to prevent accidental SQL injection
> vulnerabilities.
How do you propose to deal with the SQL commands for which there is
no need to do any parameter replacement? This is not at all
uncommon; would you expect to make people type cur.execute("SELECT
DISTINCT zip_code FROM customer_addresses", None) or somesuch?
Nicko
More information about the Python-3000
mailing list