Secure Python code - volunteers for code review?

Gerhard Haering gh at
Wed Oct 13 16:53:54 CEST 2004

On Tue, Oct 12, 2004 at 10:25:58PM -0700, Cliff Wells wrote:
> [Josiah Carlson requests a security review of his code storing/receiving
> email data from a PostgreSQL database]
> A more straightforward way is to simply use prepare() religiously.
> This also avoids the headache of having to decode your data if you
> use a different program to access it (such as psql or mysql).

There's no prepare() in the DB-API. Letting the database module do the
quoting should be enough to stay clear of SQL injection attacks.

And this his code does, from what I can see. The SQL stuff is hard to
read for me, though. Maybe the database access code should be factored
out more and put in a class of its own.

-- Gerhard

More information about the Python-list mailing list