Secure Python code - volunteers for code review?

Cliff Wells clifford.wells at comcast.net
Wed Oct 13 12:48:31 CEST 2004


On Wed, 2004-10-13 at 00:47 -0700, Josiah Carlson wrote:
> > > You can save yourself many concerns by encoding your data in some
> > > fashion that cannot be understood by the database to mean anything.  Hex
> > > works well for that.
> > 
> > A more straightforward way is to simply use prepare() religiously.  This
> > also avoids the headache of having to decode your data if you use a
> > different program to access it (such as psql or mysql).
> 
> Thankfully, other languages are able to translate to/from hex *wink*. 

Well, paint me ignorant, but I'm unaware of any feature in psql or mysql
(or any other tool, for that matter) that translates hex data to a
human-readable form without explicitly wrapping each field in your query
in a function call (and this precludes queries such as "SELECT * FROM
foo").  I'm not certain what you mean by "other languages" as I was
referring to the command line tools shipped with PostgreSQL and MySQL
respectively.

Anyone who does a lot of database work inevitably finds themselves using
the stock tools to review/revise data, so IMO, encoding the data is far
too tedious when there is an existing method for providing safe queries
that doesn't incur this overhead.

> Either way, unencoded/unprepared data may bork you.

Absolutely.

-- 
Cliff Wells <clifford.wells at comcast.net>




More information about the Python-list mailing list