how to replace and string in a "SELECT ... IN ()"
tino at wildenhain.de
Fri Sep 26 17:13:58 CEST 2008
Michael Mabin wrote:
> I laugh in the face of danger.
> Give me a use case for an exploit.
.... (see below)
> On Fri, Sep 26, 2008 at 8:05 AM, Tino Wildenhain <tino at wildenhain.de
> <mailto:tino at wildenhain.de>> wrote:
> Michael Mabin wrote:
> SELECT titem.object_id, titem.tag_id
> FROM tagging_taggeditem titem
> WHERE titem.object_id IN (%s)
> """ % ','.join([str(x) for x in [1,5,9]])
> Nope. That would be dangerous! -> google for SQL injection
You are not seeing it? Do you know where the
OP actually gets his list data from in the
You might get away with
as an easy "sanetizer"
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
More information about the Python-list