Protecting against SQL injection

Tor Erik Soenvisen toreriks at
Tue Oct 24 09:43:43 CEST 2006


How safe is the following code against SQL injection:

        # Get user privilege
        digest =
        # Protect against SQL injection by escaping quotes
        uname = uname.replace("'", "''")
        sql = 'SELECT privilege FROM staff WHERE ' + \
              'username=\'%s\' AND password=\'%s\'' % (uname, digest)
        res = self.oraDB.query(sql)

pw is the supplied password abd uname is the supplied password.


More information about the Python-list mailing list