Web App like Google
graham.fawcett at gmail.com
Tue Jul 12 19:07:37 CEST 2005
In translating natural language to SQL, be sure you're not introducing
opportunities for SQL injection attacks. Code like
sql = 'SELECT %s FROM %s' % (this, that)
is considered dangerous, because a well-crafted value for "that" can be
used to, e.g., delete rows from your tables, run system commands, etc.
You can save a lot of worry by using a database account with read-only
privileges, but you still have to be careful. My advice is to read up
on "sql injection" before going too public with your code.
More information about the Python-list