how to replace and string in a "SELECT ... IN ()"

Benjamin Kaplan benjamin.kaplan at
Fri Sep 26 21:28:39 CEST 2008

On Fri, Sep 26, 2008 at 3:04 PM, Michael Mabin <d3vvnull at> wrote:

> Doesn't it depend on where and why you intend to execute the code?
> Obviously some SQL is more at risk for exploit when the input is from the
> screen on a web page than if you were running parameterized code in a
> controlled batch environment.  Or if you were writing code generators (which
> is what I happen to do) which won't be run by the general public.
> Incidentally, couldn't input field edits prevent such exploits prior to
> interpolation?

There are ways to avoid SQL injection attacks, such as escaping all quotes
in the text. We were simply pointing out that you have to be very careful
when you add arbitrary strings into SQL statements. If you control
everything going into the statement, you shouldn't have to worry about this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Python-list mailing list