Secure Python code - volunteers for code review?
clifford.wells at comcast.net
Wed Oct 13 07:25:58 CEST 2004
On Tue, 2004-10-12 at 20:52 -0700, Josiah Carlson wrote:
> > I would really value it if any security aware Python guru was able to
> > review the code from a security perspective. It would be good to
> > ensure that python or sql code planted in an email or an attachment
> > could not execute and break out of the script - or that any other
> > security issue might arise. But how - I don't have anything near the
> > level of Python expertise required to properly assess this script for
> > security risk? If someone has the time to do a code review it would be
> > much appreciated.
> You can save yourself many concerns by encoding your data in some
> fashion that cannot be understood by the database to mean anything. Hex
> works well for that.
A more straightforward way is to simply use prepare() religiously. This
also avoids the headache of having to decode your data if you use a
different program to access it (such as psql or mysql).
Cliff Wells <clifford.wells at comcast.net>
More information about the Python-list