Protecting against SQL injection

Aahz aahz at
Tue Oct 24 15:52:55 CEST 2006

In article <Xns986662F736DD5toreriknpolarno at>,
Tor Erik Soenvisen  <toreriks at> wrote:
>How safe is the following code against SQL injection:
>        # Get user privilege
>        digest =
>        # Protect against SQL injection by escaping quotes
>        uname = uname.replace("'", "''")
>        sql = 'SELECT privilege FROM staff WHERE ' + \
>              'username=\'%s\' AND password=\'%s\'' % (uname, digest)
>        res = self.oraDB.query(sql)

Do yourself a favor at least and switch to using double-quotes for the
string.  I also recommend switching to triple-quotes to avoid the
backslash continuation.
Aahz (aahz at           <*>

"If you don't know what your program is supposed to do, you'd better not
start writing it."  --Dijkstra

More information about the Python-list mailing list