Web App like Google

Graham Fawcett graham.fawcett at gmail.com
Tue Jul 12 19:07:37 CEST 2005


In translating natural language to SQL, be sure you're not introducing
opportunities for SQL injection attacks. Code like

   sql = 'SELECT %s FROM %s' % (this, that)

is considered dangerous, because a well-crafted value for "that" can be
used to, e.g., delete rows from your tables, run system commands, etc.
You can save a lot of worry by using a database account with read-only
privileges, but you still have to be careful. My advice is to read up
on "sql injection" before going too public with your code.

Graham




More information about the Python-list mailing list