Secure Python code - volunteers for code review?

Cliff Wells clifford.wells at comcast.net
Wed Oct 13 07:25:58 CEST 2004


On Tue, 2004-10-12 at 20:52 -0700, Josiah Carlson wrote:
> > I would really value it if any security aware Python guru was able to
> > review the code from a security perspective.  It would be good to
> > ensure that python or sql code planted in an email or an attachment
> > could not execute and break out of the script - or that any other
> > security issue might arise.  But how - I don't have anything near the
> > level of Python expertise required to properly assess this script for
> > security risk?  If someone has the time to do a code review it would be
> > much appreciated.
> 
> You can save yourself many concerns by encoding your data in some
> fashion that cannot be understood by the database to mean anything.  Hex
> works well for that.

A more straightforward way is to simply use prepare() religiously.  This
also avoids the headache of having to decode your data if you use a
different program to access it (such as psql or mysql).

Regards,
Cliff

-- 
Cliff Wells <clifford.wells at comcast.net>




More information about the Python-list mailing list