how to replace and string in a "SELECT ... IN ()"

Tino Wildenhain tino at wildenhain.de
Sat Sep 27 16:14:31 CEST 2008


Hi,

Michael Mabin wrote:
> so you wouldn't object then to something like
>  
>         '.... in (%)' % ','.join([str_edit_for_exploit(x) for x in aList]) 
> 
> if str_edit_for_exploit applied security edits?

Whats an security edit btw? If it is something meant to turn possibly
insecure data into 'secure' then, no I would still object.
Why? Because its a bad example of "default permit". Its always better
to have a whitelist - even more so when its so easy to do.

Its just a habit you develope - if you never do it right, how would you
know when and how to do it right when you need to?

Tino
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-list/attachments/20080927/1b1daf92/attachment.bin>


More information about the Python-list mailing list