Secure Python code - volunteers for code review?

Gerhard Haering gh at
Wed Oct 13 16:59:04 CEST 2004

On Tue, Oct 12, 2004 at 08:52:31PM -0700, Josiah Carlson wrote:
> You can save yourself many concerns by encoding your data in some
> fashion that cannot be understood by the database to mean anything.
> Hex works well for that.

Looks like overkill to me. If you let the DB-API do the quoting (by
providing both SQL statements and parameters to the execute method,
which he does), you're on the safe side IMO.

Using TEXT and VARCHAR fields for emails is the way to go IMO. No need
for any fancy BLOB/BYTEA column types, because emails cannot contain
chr(0) anyway. If you want to search and/or compare, then you should
be aware of possible charset issues, though.

-- Gerhard

More information about the Python-list mailing list