Protecting against SQL injection
Christoph Zwerschke
cito at online.de
Wed Nov 22 14:59:05 EST 2006
Tor Erik Soenvisen wrote:
> How safe is the following code against SQL injection:
>
> # Get user privilege
> digest = sha.new(pw).hexdigest()
> # Protect against SQL injection by escaping quotes
> uname = uname.replace("'", "''")
> sql = 'SELECT privilege FROM staff WHERE ' + \
> 'username=\'%s\' AND password=\'%s\'' % (uname, digest)
> res = self.oraDB.query(sql)
This is definitely *not* safe.
For instance, set uname = r"\' or 1=1 --"
You must replace the backslash with a double backslash as well.
But as already suggested, you should better use query parameters.
-- Christoph
More information about the Python-list
mailing list