store encrypted data in sqlite ?

Carsten Haese carsten.haese at gmail.com
Fri Oct 2 22:41:01 CEST 2009


Stef Mientki wrote:
> hello,
> 
> I want to store some fields in an sqlite database.
> 
> I use ezPyCrypto to encrypt and decrypt:
> 
> User = ['z684684', 'Mientki, Stef', 1,1,0,1,1 ]
> 
> encryption_key_1 = ezPyCrypto.key ( 512 )
> 
> SQL_Base = 'insert or replace into __USERS__ values ('
> for field in User :
>    SQL += ",'" + encryption_key_1.encString ( str ( item ))+ "'"
> SQL += ')'
> 
> 
> Now this fails, probably, because the second character of the encrypted
> string is a binary zero.
> 
> By trial and error, I found a work around,
> but I'm not sure this will garantee that it will work always:
> by converting the encrypted buffer with base64.encode:
> 
>    SQL += ",'" + base64.encodestring(EnCrypt_1 ( str ( item )))+ "'"
> 
> Will this method work always ?
> Are there better methods ?

There is definitely a better method! You should use parameter binding
instead of rolling the query by hand:

SQL = "insert or replace into __USERS__ values (?,?,?,?,?,?,?)"
params = [ encryption_key_1.encString(str(x)) for x in User ]
cur.execute(SQL, params)

That way, the parameters are passed separately and safely, and the query
syntax is protected from all the dangerous characters that are floating
around in the parameters.

HTH,

--
Carsten Haese
http://informixdb.sourceforge.net




More information about the Python-list mailing list