Checking each item in

miller.paul.w at miller.paul.w at
Mon Jun 2 23:24:21 CEST 2008

On Jun 2, 5:06 pm, Peter Otten <__pete... at> wrote:

> You are taking the wrong approach here.
> Don't build SQL statements as strings; you are enabling the next SQL
> injection attack. Pass parameters using the DB API instead.
> Don't use regular expressions to parse a CSV file. Python's csv module is
> more likely to deal correctly with the quirks of that standard.

I'd like to second both these statements.  Regardless of whether these
CSV files are from a trusted source or not, it's a virtual truism of
programming that eventually, any application will be used in ways it
was not intended.  Since using a parameterized query is a simple way
to avoid a common security hole, even if such a thing could never be
exploited by the app in its current configuration, you should do
things the Right Way.  That way, even if your code is twisted to some
other use in the future, it's less likely to cause problems.

More information about the Python-list mailing list