how to replace and string in a "SELECT ... IN ()"

Michael Mabin d3vvnull at gmail.com
Sat Sep 27 00:05:30 CEST 2008


so you wouldn't object then to something like         '.... in (%)' %
','.join([str_edit_for_exploit(x) for x in aList])

if str_edit_for_exploit applied security edits?

On Fri, Sep 26, 2008 at 2:28 PM, Benjamin Kaplan
<benjamin.kaplan at case.edu>wrote:

>
>
> On Fri, Sep 26, 2008 at 3:04 PM, Michael Mabin <d3vvnull at gmail.com> wrote:
>
>> Doesn't it depend on where and why you intend to execute the code?
>> Obviously some SQL is more at risk for exploit when the input is from the
>> screen on a web page than if you were running parameterized code in a
>> controlled batch environment.  Or if you were writing code generators (which
>> is what I happen to do) which won't be run by the general public.
>>
>> Incidentally, couldn't input field edits prevent such exploits prior to
>> interpolation?
>>
>
> There are ways to avoid SQL injection attacks, such as escaping all quotes
> in the text. We were simply pointing out that you have to be very careful
> when you add arbitrary strings into SQL statements. If you control
> everything going into the statement, you shouldn't have to worry about this.
>
>
>


-- 
| _ | * | _ |
| _ | _ | * |
| *  | * | * |
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20080926/9399e350/attachment.html>


More information about the Python-list mailing list