SQL and CSV

andrew cooke andrew at acooke.org
Fri May 8 12:38:33 EDT 2009 

even if you're not open to injection attacks, you're still less likely to
get escaping correct than a puprose written, widely used library.

my request for more information was directed to lawrence, who said "until
you hit things it can't deal with" which seemed to be some kind of cryptic
argument against parameters.

andrew


Nick wrote:
> On May 8, 1:49 pm, "andrew cooke" <and... at acooke.org> wrote:
>> Lawrence D'Oliveiro wrote:
>> > In message <gu0ofm$oj9$0... at news.t-online.com>, Peter Otten wrote:
>>
>> >> While it may not matter here using placeholders instead of manually
>> >> escaping user-provided values is a good habit to get into.
>>
>> > Until you hit things it can't deal with.
>>
>> The post you are replying to was talking about using the SQL library's
>> "?"
>> syntax that automatically escapes values.  The usual reason this is
>> recommended (if I have understood correctly) is that the library code is
>> much more likely to foil injection attacks.  I have seen this mentioned
>> often and assume it is good advice.
>>
>> Can you expand on your comment?  I assume you are thinking of how the
>> library might handle some strange class.  But aren't the number of types
>> limited by SQL?  In which case a "thing that can't be handled" could
>> presumably be managed by adding an appropriate __str__ or __float__ or
>> whatever?  And you would still use the library to give safety with other
>> values.
>>
>> Maybe you could give an example of the kind of problem you're thinking
>> of?
>>
>> Thanks,
>> Andrew
>
> Injection attacks aren't an issue, its a local app.
>
> It's part of a reconciliation system, where sometimes data is in csv
> files. If you want the whole csv file, you can use csv module without
> a problem.
>
> In some cases, I need to manipulate the data.
>
> The choices are hard code the manipulation, or load the data from a
> config file.
>
> So what I've got is the query in the config and I can process it.
>
> Nick
> --
> http://mail.python.org/mailman/listinfo/python-list
>
>

More information about the Python-list mailing list