Web App like Google

Graham Fawcett graham.fawcett at gmail.com
Tue Jul 12 19:07:37 CEST 2005

In translating natural language to SQL, be sure you're not introducing
opportunities for SQL injection attacks. Code like

   sql = 'SELECT %s FROM %s' % (this, that)

is considered dangerous, because a well-crafted value for "that" can be
used to, e.g., delete rows from your tables, run system commands, etc.
You can save a lot of worry by using a database account with read-only
privileges, but you still have to be careful. My advice is to read up
on "sql injection" before going too public with your code.


More information about the Python-list mailing list