Protecting against SQL injection

Ben Finney bignose+hates-spam at benfinney.id.au
Tue Oct 24 10:11:52 CEST 2006


Paul Rubin <"http://phr.cx"@NOSPAM.invalid> writes:

> Tor Erik Soenvisen <toreriks at hotmail.com> writes:
> >         # Protect against SQL injection by escaping quotes
>
> Don't ever do that, safe or not.  Use query parameters instead.
> That's what they're for.

More specifically: They've been debugged for just these kinds of
purposes, and every time you code an ad-hoc escaping-and-formatting
SQL query, you're inviting all the bugs that have been found and
removed before.

-- 
 \     "Welchen Teil von 'Gestalt' verstehen Sie nicht?  [What part of |
  `\             'gestalt' don't you understand?]"  -- Karsten M. Self |
_o__)                                                                  |
Ben Finney




More information about the Python-list mailing list