Secure Python code - volunteers for code review?
clifford.wells at comcast.net
Wed Oct 13 12:48:31 CEST 2004
On Wed, 2004-10-13 at 00:47 -0700, Josiah Carlson wrote:
> > > You can save yourself many concerns by encoding your data in some
> > > fashion that cannot be understood by the database to mean anything. Hex
> > > works well for that.
> > A more straightforward way is to simply use prepare() religiously. This
> > also avoids the headache of having to decode your data if you use a
> > different program to access it (such as psql or mysql).
> Thankfully, other languages are able to translate to/from hex *wink*.
Well, paint me ignorant, but I'm unaware of any feature in psql or mysql
(or any other tool, for that matter) that translates hex data to a
human-readable form without explicitly wrapping each field in your query
in a function call (and this precludes queries such as "SELECT * FROM
foo"). I'm not certain what you mean by "other languages" as I was
referring to the command line tools shipped with PostgreSQL and MySQL
Anyone who does a lot of database work inevitably finds themselves using
the stock tools to review/revise data, so IMO, encoding the data is far
too tedious when there is an existing method for providing safe queries
that doesn't incur this overhead.
> Either way, unencoded/unprepared data may bork you.
Cliff Wells <clifford.wells at comcast.net>
More information about the Python-list