Pickling over a socket
balle at chaostal.de
Wed Apr 20 05:41:21 EDT 2011
Am Wed, 20 Apr 2011 19:26:44 +1000
schrieb Chris Angelico <rosuav at gmail.com>:
> Yes, but the other half of the issue is that you have to treat
> anything that comes over the network as "user input", even if you
> think it's from your own program that you control.
> Buffer overruns can happen in all sorts of places; SQL injection can
> only happen where you talk to the database. And it IS just a matter of
> using a magic auto-escape function, if your library is set up right -
No. Not all data is strings.
> Not at all; just never *trust* user input. Where thou typest foo,
> someone someday will type...
I never *trust* the user *blindly* as you do with your
magic-escape-function so where do we disagree?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: not available
More information about the Python-list