[Tutor] [OT] Secure coding guidelines
Weidner, Ronald
RWeidner at ea.com
Tue Oct 13 16:28:40 CEST 2009
In reference to this tip, my question is why?
- don't use string formatting to create SQL statements - use the
two-argument form of execute() to pass args as a sequence
--
Ronald Weidner
-----Original Message-----
From: tutor-bounces+rweidner=ea.com at python.org [mailto:tutor-bounces+rweidner=ea.com at python.org] On Behalf Of Kent Johnson
Sent: Saturday, October 10, 2009 8:52 PM
To: Didar Hossain
Cc: tutor at python.org
Subject: Re: [Tutor] [OT] Secure coding guidelines
On Sat, Oct 10, 2009 at 5:31 AM, Didar Hossain <didar.hossain at gmail.com> wrote:
> Hi,
>
> This is a little off-topic, but, I though I might put this question in.
>
> Since I am learning Python, I was wondering if there are any good
> references on secure
> coding practices. Books, guides or even any howtos would suffice.
I don't know any references, but a few tips:
- don't use eval or exec on untrusted code
- don't unpickle data from an untrusted source
- don't use string formatting to create SQL statements - use the
two-argument form of execute() to pass args as a sequence
- AFAIK there is no generally accepted, secure sandbox for running
untrusted Python code (other than Google App Engine I guess) so don't
run untrusted code
Kent
_______________________________________________
Tutor maillist - Tutor at python.org
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor
More information about the Tutor
mailing list