Python Risk

Carey Evans careye at spamcop.net
Mon May 14 12:43:57 CEST 2001


"Delaney, Timothy" <tdelaney at avaya.com> writes:

> If the user can enter the criteria, you must always assume that they will
> enter both single and double quotes. So you always need to "fix" the data -
> for most SQL databases you double the quotes that match the delimiters, and
> single-quote is the most standard delimiter.

The SQL environments I've come across (DB2/400, PostgreSQL) assign
different meanings to single- and double-quote.  Single-quote
surrounds strings, with embedded single-quotes doubled:

    'This is Carey''s string.'

while double-quote surrounds field names, etc., that would otherwise
be SQL keywords:

    insert into MyTable ("User", Country) values('carey', 'NZ')

Neither 'User' nor "carey" work at all in this statement.

-- 
	 Carey Evans  http://home.clear.net.nz/pages/c.evans/

	    "Quiet, you'll miss the humorous conclusion."



More information about the Python-list mailing list