how to replace and string in a "SELECT ... IN ()"

D'Arcy J.M. Cain darcy at druid.net
Fri Sep 26 21:21:58 CEST 2008


On Fri, 26 Sep 2008 14:04:35 -0500
"Michael Mabin" <d3vvnull at gmail.com> wrote:
> Doesn't it depend on where and why you intend to execute the code?
> Obviously some SQL is more at risk for exploit when the input is from the
> screen on a web page than if you were running parameterized code in a
> controlled batch environment.  Or if you were writing code generators (which
> is what I happen to do) which won't be run by the general public.
> 
> Incidentally, couldn't input field edits prevent such exploits prior to
> interpolation?

I encourage my competitors to program that way.

-- 
D'Arcy J.M. Cain <darcy at druid.net>         |  Democracy is three wolves
http://www.druid.net/darcy/                |  and a sheep voting on
+1 416 425 1212     (DoD#0082)    (eNTP)   |  what's for dinner.



More information about the Python-list mailing list