[Tutor] [OT] Secure coding guidelines
kent37 at tds.net
Tue Oct 13 20:31:54 CEST 2009
On Tue, Oct 13, 2009 at 11:49 AM, Serdar Tumgoren <zstumgoren at gmail.com> wrote:
>> In reference to this tip, my question is why?
>> - don't use string formatting to create SQL statements - use the
>> two-argument form of execute() to pass args as a sequence
> SQL injection is the primary reason:
And the classic xkcd:
I'm not sure about this, but I think there is also a possible
performance boost if you are executing the same SQL with different
parameters; if the parameters are not part of the SQL then there is
some pre-processing that can be cached and re-used.
More information about the Tutor