[Tutor] [OT] Secure coding guidelines

Kent Johnson kent37 at tds.net
Tue Oct 13 20:31:54 CEST 2009

On Tue, Oct 13, 2009 at 11:49 AM, Serdar Tumgoren <zstumgoren at gmail.com> wrote:
>> In reference to this tip,  my question is why?
>> - don't use string formatting to create SQL statements - use the
>> two-argument form of execute() to pass args as a sequence
> SQL injection is the primary reason:
> http://en.wikipedia.org/wiki/SQL_injection

And the classic xkcd:

I'm not sure about this, but I think there is also a possible
performance boost if you are executing the same SQL with different
parameters; if the parameters are not part of the SQL then there is
some pre-processing that can be cached and re-used.


More information about the Tutor mailing list