Secure Python code - volunteers for code review?

Josiah Carlson jcarlson at uci.edu
Wed Oct 13 09:47:42 CEST 2004


> > You can save yourself many concerns by encoding your data in some
> > fashion that cannot be understood by the database to mean anything.  Hex
> > works well for that.
> 
> A more straightforward way is to simply use prepare() religiously.  This
> also avoids the headache of having to decode your data if you use a
> different program to access it (such as psql or mysql).

Thankfully, other languages are able to translate to/from hex *wink*. 
Either way, unencoded/unprepared data may bork you.

 - Josiah




More information about the Python-list mailing list