Protecting against SQL injection

Steve Holden steve at holdenweb.com
Tue Oct 24 13:31:09 CEST 2006


Tor Erik Soenvisen wrote:
> Hi,
> 
> How safe is the following code against SQL injection:
> 
>         # Get user privilege
>         digest = sha.new(pw).hexdigest()
>         # Protect against SQL injection by escaping quotes
>         uname = uname.replace("'", "''")
>         sql = 'SELECT privilege FROM staff WHERE ' + \
>               'username=\'%s\' AND password=\'%s\'' % (uname, digest)
>         res = self.oraDB.query(sql)
> 
> pw is the supplied password abd uname is the supplied password.
> 
Slightly safer than not doing anything to the user-supplied inputs, but 
nowehere near as safe as it needs to be. Use parameterized queries!

regards
  Steve
-- 
Steve Holden       +44 150 684 7255  +1 800 494 3119
Holden Web LLC/Ltd          http://www.holdenweb.com
Skype: holdenweb       http://holdenweb.blogspot.com
Recent Ramblings     http://del.icio.us/steve.holden




More information about the Python-list mailing list