[Tutor] [OT] Secure coding guidelines
Kent Johnson
kent37 at tds.net
Sun Oct 11 02:52:21 CEST 2009
On Sat, Oct 10, 2009 at 5:31 AM, Didar Hossain <didar.hossain at gmail.com> wrote:
> Hi,
>
> This is a little off-topic, but, I though I might put this question in.
>
> Since I am learning Python, I was wondering if there are any good
> references on secure
> coding practices. Books, guides or even any howtos would suffice.
I don't know any references, but a few tips:
- don't use eval or exec on untrusted code
- don't unpickle data from an untrusted source
- don't use string formatting to create SQL statements - use the
two-argument form of execute() to pass args as a sequence
- AFAIK there is no generally accepted, secure sandbox for running
untrusted Python code (other than Google App Engine I guess) so don't
run untrusted code
Kent
More information about the Tutor
mailing list