Protecting against SQL injection

Tor Erik Soenvisen toreriks at hotmail.com
Tue Oct 24 09:43:43 CEST 2006


Hi,

How safe is the following code against SQL injection:

        # Get user privilege
        digest = sha.new(pw).hexdigest()
        # Protect against SQL injection by escaping quotes
        uname = uname.replace("'", "''")
        sql = 'SELECT privilege FROM staff WHERE ' + \
              'username=\'%s\' AND password=\'%s\'' % (uname, digest)
        res = self.oraDB.query(sql)

pw is the supplied password abd uname is the supplied password.

regards



More information about the Python-list mailing list