Python or PHP?
Steve Holden
steve at holdenweb.com
Sun Apr 24 19:03:39 EDT 2005
Leif Biberg Kristensen wrote:
> Leif K-Brooks skrev:
>
>
>>But Python's DB-API (the standard way to connect to an SQL database
>>from Python) makes escaping SQL strings automatic. You can do this:
>>
>>cursor.execute('UPDATE foo SET bar=%s WHERE id=%s', ["foo'bar", 123])
>
>
> So. I've been writing SQL queries in Python like this, using PostgreSQL
> and psycopg:
>
> cursor.execute("select * from foo where bar=%s" % baz)
>
> Is that wrong, and how should I have been supposed to know that this is
> bad syntax? No doc I have seen actually has told me so.
It's *wrong* for some value of "wrong" - it does potentially introduce a
SQL injection vulnerability into your code.
Suppose I provide as input into the baz variable
1; drop table foo
Your statement then becomes
select * from foo where bar=1; drop table foo
which is clearly not such a good idea. More sophisticated attackes are
possible, but this gives you the idea.
regards
Steve
--
Steve Holden +1 703 861 4237 +1 800 494 3119
Holden Web LLC http://www.holdenweb.com/
Python Web Programming http://pydish.holdenweb.com/
More information about the Python-list
mailing list