Protecting against SQL injection
bignose+hates-spam at benfinney.id.au
Tue Oct 24 10:11:52 CEST 2006
Paul Rubin <"http://phr.cx"@NOSPAM.invalid> writes:
> Tor Erik Soenvisen <toreriks at hotmail.com> writes:
> > # Protect against SQL injection by escaping quotes
> Don't ever do that, safe or not. Use query parameters instead.
> That's what they're for.
More specifically: They've been debugged for just these kinds of
purposes, and every time you code an ad-hoc escaping-and-formatting
SQL query, you're inviting all the bugs that have been found and
\ "Welchen Teil von 'Gestalt' verstehen Sie nicht? [What part of |
`\ 'gestalt' don't you understand?]" -- Karsten M. Self |
More information about the Python-list