[Tutor] Python sqlite3 issue
Danny Yoo
dyoo at hashcollision.org
Mon Oct 20 20:08:08 CEST 2014
>>>> insert_db(12, "abc.com", "author", "message")
> INSERT INTO TOPICS (ID, URL, AUTHOR, MESSAGE) VALUES (12, abc.com,
> author, message)
>>>>
>
> I've never used format like that. It looks like you need to quote the
> strings. I don't know if you can tell format to do that or if you
> have to escape them.
In normal situations, this might be good advice. When the string
being produced is itself to be interpreted as code, though, we want to
see if there's already some library to do the templating and quoting
for us already. Otherwise, it is extraordinarily easy to leave an
"injection attack" vulnerability.
It doesn't even have to be one with malicious intent. See the
following from way back in 2005:
https://mail.python.org/pipermail/tutor/2005-June/039213.html
In this case, getting it wrong just means that certain good inputs are
treated incorrectly. So there's good reason to do this just so that
our programs work.
This is one of those issues that a programmer has to be aware of, to
treat data with the proper respect and wariness. "Code is data, and
data is code," is one of the mantras that the Lisp programmers use.
When data becomes code, that's when we have to be especially careful.
More information about the Tutor
mailing list