[Tutor] Didn't take long to hit my next wall!
Alan Gauld
alan.gauld at freenet.co.uk
Mon Apr 17 11:00:58 CEST 2006
>> query = '''UPDATE cost_grid
>> SET cost_1 = %s
>> WHERE cost_grid_id = %s
>> AND finish_dro = %s'''' % ( a,c,b)
>> c.execute(query)
>
> Yikes! Alan! Certainly you know what an SQL injection attack is? And what
> if the data contains special characters?
>
> For those who don't know, imagine what happens in the above if
> b = '91.4; drop table cost_grid;'
Yes that's true and a very good point, you do need to do some validation
if the inputs are coming from, for example a web site. Creating the string
yourself means taking responsibility for checking the parameters. If thats
an
issue execute() is probably a better bet, in my work thats never an issue
since the data normally comes to me well formatted.
Alan G
More information about the Tutor
mailing list