Protecting against SQL injection

Ben Finney bignose+hates-spam at
Tue Oct 24 10:11:52 CEST 2006

Paul Rubin <""@NOSPAM.invalid> writes:

> Tor Erik Soenvisen <toreriks at> writes:
> >         # Protect against SQL injection by escaping quotes
> Don't ever do that, safe or not.  Use query parameters instead.
> That's what they're for.

More specifically: They've been debugged for just these kinds of
purposes, and every time you code an ad-hoc escaping-and-formatting
SQL query, you're inviting all the bugs that have been found and
removed before.

 \     "Welchen Teil von 'Gestalt' verstehen Sie nicht?  [What part of |
  `\             'gestalt' don't you understand?]"  -- Karsten M. Self |
_o__)                                                                  |
Ben Finney

More information about the Python-list mailing list