i Don't get why it makes trouble

Stephen Hansen apt.shansen at gmail.com
Fri Aug 14 06:59:19 CEST 2009

> Currently I am working on just a prototype to show what is possible to
> be done to get me some fundings for my future work. after that I will
> get over to an SQL Alchemy. It's ORM will take over this business for
> me.
> A lot of people a not aware of SQL injection. My friend from college
> asked me and a couple of other guys for Pen testing of an website. His
> SQL injection mistake made him an epic fail.

You don't really need to go the full ORM route to do this safely --
constructing SQL from user input is not only wrong from a security point of
view, but it's actually just harder to do it that way then use the
mechanisms provided in PEP-249 compliant DB-API modules. Life's easier if
you use parameterized queries, really :)

You're probably connecting to your database via a DB-API compatible library,
I assume? Most are. If so, it's simply a matter of:

cur = con.cursor()
cur.execute("SELECT name FROM blah WHERE id = ? AND zone = ?", (my_id,

All DB-API compliant modules support this, though some mark the parameters
differently. That's qmark, some alternates are numeric (:1, :2, etc), some
named (:id, :zone), some format (%s, %d, etc), some pyformat, (%(id)d,

The module should provide a 'paramstyle' stating what is supported.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20090813/a34f8fad/attachment.html>

More information about the Python-list mailing list