[OT] Re: Pickling over a socket
balle at chaostal.de
Wed Apr 20 04:59:33 EDT 2011
Am Wed, 20 Apr 2011 10:25:14 +0200
schrieb Thomas Rachel
<nutznetz-0c1b6768-bfa9-48d5-a470-7603bd3aa915 at spamschutz.glglgl.de>:
> It depends on what the program does with the input. If it treats it
> appropriately, nothing can happen.
Yes, but the question seems to be what is appropriately.
> What do yu want with filters here? Not filtering is appropriate
> against SQL injection, but escaping.
Escaping in strings, filtering with numbers etc.
> If Little Bobby Tables is really called "Robert'); DROP TABLE
> STUDENTS; --", it is wrong to reject this string - instead, all
> dangerous characters inside it must be quoted (in this case: ') and
> then it does not harm at all.
Well you forgot to escape ; and \ but this seems to slide into OT ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: not available
More information about the Python-list