Pickling over a socket

Thomas Rachel nutznetz-0c1b6768-bfa9-48d5-a470-7603bd3aa915 at spamschutz.glglgl.de
Wed Apr 20 10:25:14 CEST 2011


Am 20.04.2011 09:34, schrieb Bastian Ballmann:

> No system is totally secure. You can _always_ poke around if a program
> uses user input.

It depends on what the program does with the input. If it treats it 
appropriately, nothing can happen.


> For example one can totally own a complete computer by
> nothing more than a single sql injection attack even if the programmer
> implemented some filters.

What do yu want with filters here? Not filtering is appropriate against 
SQL injection, but escaping.

If Little Bobby Tables is really called "Robert'); DROP TABLE STUDENTS; 
--", it is wrong to reject this string - instead, all dangerous 
characters inside it must be quoted (in this case: ') and then it does 
not harm at all.


 > Now would you say one shouldnt use sql
> databases cause of that? ;)

No, just beware of what can happen and use the dbs and its functions 
appropriately.


Thomas



More information about the Python-list mailing list