Pickling over a socket
Thomas Rachel
nutznetz-0c1b6768-bfa9-48d5-a470-7603bd3aa915 at spamschutz.glglgl.de
Wed Apr 20 04:25:14 EDT 2011
Am 20.04.2011 09:34, schrieb Bastian Ballmann:
> No system is totally secure. You can _always_ poke around if a program
> uses user input.
It depends on what the program does with the input. If it treats it
appropriately, nothing can happen.
> For example one can totally own a complete computer by
> nothing more than a single sql injection attack even if the programmer
> implemented some filters.
What do yu want with filters here? Not filtering is appropriate against
SQL injection, but escaping.
If Little Bobby Tables is really called "Robert'); DROP TABLE STUDENTS;
--", it is wrong to reject this string - instead, all dangerous
characters inside it must be quoted (in this case: ') and then it does
not harm at all.
> Now would you say one shouldnt use sql
> databases cause of that? ;)
No, just beware of what can happen and use the dbs and its functions
appropriately.
Thomas
More information about the Python-list
mailing list