[Tutor] Re: Please advice me on my code
Lee Harr
missive at hotmail.com
Wed Sep 29 23:00:28 CEST 2004
>Oh, one question, I don't really understand that which method of my code
>will leave wide open to SQL injection attacks?
>Can you please explain to me...sorry for that, I'm abit slow.
>
qtext = 5
query = "select * from a where x=%(qtext)s" % {'qtext': qtext}
print query
qtext = '5; delete from b;'
query = "select * from a where x=%(qtext)s" % {'qtext': qtext}
print query
That is the basic problem. The db connector should have
another way to quote your variables which is pretty much
bulletproof. I am not sure how to do it with the pg module.
You need to research that and make sure you do it right...
_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
More information about the Tutor
mailing list