store encrypted data in sqlite ?
Carsten Haese
carsten.haese at gmail.com
Fri Oct 2 16:41:01 EDT 2009
Stef Mientki wrote:
> hello,
>
> I want to store some fields in an sqlite database.
>
> I use ezPyCrypto to encrypt and decrypt:
>
> User = ['z684684', 'Mientki, Stef', 1,1,0,1,1 ]
>
> encryption_key_1 = ezPyCrypto.key ( 512 )
>
> SQL_Base = 'insert or replace into __USERS__ values ('
> for field in User :
> SQL += ",'" + encryption_key_1.encString ( str ( item ))+ "'"
> SQL += ')'
>
>
> Now this fails, probably, because the second character of the encrypted
> string is a binary zero.
>
> By trial and error, I found a work around,
> but I'm not sure this will garantee that it will work always:
> by converting the encrypted buffer with base64.encode:
>
> SQL += ",'" + base64.encodestring(EnCrypt_1 ( str ( item )))+ "'"
>
> Will this method work always ?
> Are there better methods ?
There is definitely a better method! You should use parameter binding
instead of rolling the query by hand:
SQL = "insert or replace into __USERS__ values (?,?,?,?,?,?,?)"
params = [ encryption_key_1.encString(str(x)) for x in User ]
cur.execute(SQL, params)
That way, the parameters are passed separately and safely, and the query
syntax is protected from all the dangerous characters that are floating
around in the parameters.
HTH,
--
Carsten Haese
http://informixdb.sourceforge.net
More information about the Python-list
mailing list