Protecting against SQL injection

Aahz aahz at pythoncraft.com
Tue Oct 24 15:52:55 CEST 2006


In article <Xns986662F736DD5toreriknpolarno at 129.242.5.222>,
Tor Erik Soenvisen  <toreriks at hotmail.com> wrote:
>
>How safe is the following code against SQL injection:
>
>        # Get user privilege
>        digest = sha.new(pw).hexdigest()
>        # Protect against SQL injection by escaping quotes
>        uname = uname.replace("'", "''")
>        sql = 'SELECT privilege FROM staff WHERE ' + \
>              'username=\'%s\' AND password=\'%s\'' % (uname, digest)
>        res = self.oraDB.query(sql)

Do yourself a favor at least and switch to using double-quotes for the
string.  I also recommend switching to triple-quotes to avoid the
backslash continuation.
-- 
Aahz (aahz at pythoncraft.com)           <*>         http://www.pythoncraft.com/

"If you don't know what your program is supposed to do, you'd better not
start writing it."  --Dijkstra



More information about the Python-list mailing list