Secure Python code - volunteers for code review?
jcarlson at uci.edu
Wed Oct 13 09:47:42 CEST 2004
> > You can save yourself many concerns by encoding your data in some
> > fashion that cannot be understood by the database to mean anything. Hex
> > works well for that.
> A more straightforward way is to simply use prepare() religiously. This
> also avoids the headache of having to decode your data if you use a
> different program to access it (such as psql or mysql).
Thankfully, other languages are able to translate to/from hex *wink*.
Either way, unencoded/unprepared data may bork you.
More information about the Python-list