how to replace and string in a "SELECT ... IN ()"

Michael Mabin d3vvnull at gmail.com
Sat Sep 27 00:06:25 CEST 2008


oops. i meant.
        '.... in (%s)' % ','.join([str_edit_for_exploit(x) for x in aList])


On Fri, Sep 26, 2008 at 5:05 PM, Michael Mabin <d3vvnull at gmail.com> wrote:

> so you wouldn't object then to something like         '.... in (%)' %
> ','.join([str_edit_for_exploit(x) for x in aList])
>
> if str_edit_for_exploit applied security edits?
>
> On Fri, Sep 26, 2008 at 2:28 PM, Benjamin Kaplan <benjamin.kaplan at case.edu
> > wrote:
>
>>
>>
>> On Fri, Sep 26, 2008 at 3:04 PM, Michael Mabin <d3vvnull at gmail.com>wrote:
>>
>>> Doesn't it depend on where and why you intend to execute the code?
>>> Obviously some SQL is more at risk for exploit when the input is from the
>>> screen on a web page than if you were running parameterized code in a
>>> controlled batch environment.  Or if you were writing code generators (which
>>> is what I happen to do) which won't be run by the general public.
>>>
>>> Incidentally, couldn't input field edits prevent such exploits prior to
>>> interpolation?
>>>
>>
>> There are ways to avoid SQL injection attacks, such as escaping all quotes
>> in the text. We were simply pointing out that you have to be very careful
>> when you add arbitrary strings into SQL statements. If you control
>> everything going into the statement, you shouldn't have to worry about this.
>>
>>
>>
>
>
> --
> | _ | * | _ |
> | _ | _ | * |
> | *  | * | * |
>



-- 
| _ | * | _ |
| _ | _ | * |
| *  | * | * |
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20080926/73446c5a/attachment.html>


More information about the Python-list mailing list