how to replace and string in a "SELECT ... IN ()"
d3vvnull at gmail.com
Sat Sep 27 00:06:25 CEST 2008
oops. i meant.
'.... in (%s)' % ','.join([str_edit_for_exploit(x) for x in aList])
On Fri, Sep 26, 2008 at 5:05 PM, Michael Mabin <d3vvnull at gmail.com> wrote:
> so you wouldn't object then to something like '.... in (%)' %
> ','.join([str_edit_for_exploit(x) for x in aList])
> if str_edit_for_exploit applied security edits?
> On Fri, Sep 26, 2008 at 2:28 PM, Benjamin Kaplan <benjamin.kaplan at case.edu
> > wrote:
>> On Fri, Sep 26, 2008 at 3:04 PM, Michael Mabin <d3vvnull at gmail.com>wrote:
>>> Doesn't it depend on where and why you intend to execute the code?
>>> Obviously some SQL is more at risk for exploit when the input is from the
>>> screen on a web page than if you were running parameterized code in a
>>> controlled batch environment. Or if you were writing code generators (which
>>> is what I happen to do) which won't be run by the general public.
>>> Incidentally, couldn't input field edits prevent such exploits prior to
>> There are ways to avoid SQL injection attacks, such as escaping all quotes
>> in the text. We were simply pointing out that you have to be very careful
>> when you add arbitrary strings into SQL statements. If you control
>> everything going into the statement, you shouldn't have to worry about this.
> | _ | * | _ |
> | _ | _ | * |
> | * | * | * |
| _ | * | _ |
| _ | _ | * |
| * | * | * |
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Python-list