Problem inserting into Postgres (PgSQL) database

Skip Montanaro skip at pobox.com
Thu Jun 19 18:05:37 CEST 2003


    >> Second, your style of constructing SQL is a bad one. Use the DB-API
    >> way of quoting the various datatypes instead:
    ...
    >> The way you're constructing your SQL statement now is a security
    >> vulnerability if any of the fields can come from an untrusted source.

    Dave> Could you please elaborate on how your method is more secure?
    Dave> Isn't it the same result since the %s are replaced with the values
    Dave> from the variable.

I hadn't considered the possibility of a security hole, though I suspect
there is one, especially when executing SQL which might modify tables.  I'm
not good enough with SQL to know how to reliably construct malicious stuff.
The more likely problem the way you are doing things is that you will wind
up with a quoting error.  What if, for example, passwd contained a single
apostrophe?  By letting the execute() method handle quoting that gets taken
care of for you.

Skip






More information about the Python-list mailing list