how to replace and string in a "SELECT ... IN ()"
d3vvnull at gmail.com
Sat Sep 27 00:05:30 CEST 2008
so you wouldn't object then to something like '.... in (%)' %
','.join([str_edit_for_exploit(x) for x in aList])
if str_edit_for_exploit applied security edits?
On Fri, Sep 26, 2008 at 2:28 PM, Benjamin Kaplan
<benjamin.kaplan at case.edu>wrote:
> On Fri, Sep 26, 2008 at 3:04 PM, Michael Mabin <d3vvnull at gmail.com> wrote:
>> Doesn't it depend on where and why you intend to execute the code?
>> Obviously some SQL is more at risk for exploit when the input is from the
>> screen on a web page than if you were running parameterized code in a
>> controlled batch environment. Or if you were writing code generators (which
>> is what I happen to do) which won't be run by the general public.
>> Incidentally, couldn't input field edits prevent such exploits prior to
> There are ways to avoid SQL injection attacks, such as escaping all quotes
> in the text. We were simply pointing out that you have to be very careful
> when you add arbitrary strings into SQL statements. If you control
> everything going into the statement, you shouldn't have to worry about this.
| _ | * | _ |
| _ | _ | * |
| * | * | * |
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Python-list