Protecting against SQL injection

[Christoph Zwerschke]

Tor Erik Soenvisen wrote:
> How safe is the following code against SQL injection:
> 
>         # Get user privilege
>         digest = sha.new(pw).hexdigest()
>         # Protect against SQL injection by escaping quotes
>         uname = uname.replace("'", "''")
>         sql = 'SELECT privilege FROM staff WHERE ' + \
>               'username=\'%s\' AND password=\'%s\'' % (uname, digest)
>         res = self.oraDB.query(sql)

This is definitely *not* safe.

For instance, set uname = r"\' or 1=1 --"

You must replace the backslash with a double backslash as well.
But as already suggested, you should better use query parameters.

-- Christoph