On Mon, Nov 16, 2009 at 4:30 PM, <bangpypers-requ...@python.org> wrote:
> From: Noufal Ibrahim <nou...@gmail.com> > Message-ID: > <9963e56e0911160144m44417d94k2f70c2e75759d...@mail.gmail.com> > Content-Type: text/plain; charset=windows-1252 > > It's perfectly possible and equally easy to write SQL injection > exploitable code in Python if you're using the raw DBAPI > > That's not quite accurate. The accepted defense against sql injection is using prepared statements, and DBAPI strongly encourages one to use prepared statements instead of constructing the sql statement using string manipulation. Unfortunately, the placeholder MySQLdb uses is "%s", which is easy to confuse with string interpolation. The sqlite3 dbapi, for instance, uses '?', which is much clearer. Vijay -- http://www.wisdomtap.com/ _______________________________________________ BangPypers mailing list BangPypers@python.org http://mail.python.org/mailman/listinfo/bangpypers