On Mon, Nov 16, 2009 at 4:30 PM, <bangpypers-requ...@python.org> wrote:

> From: Noufal Ibrahim <nou...@gmail.com>
> Message-ID:
>        <9963e56e0911160144m44417d94k2f70c2e75759d...@mail.gmail.com>
> Content-Type: text/plain; charset=windows-1252
>
> It's perfectly possible and equally easy to write SQL injection
> exploitable code in Python if you're using the raw DBAPI
>
>
That's not quite accurate. The accepted defense against sql injection is
using prepared statements, and DBAPI strongly encourages one to use prepared
statements instead of constructing the sql statement using string
manipulation. Unfortunately, the placeholder MySQLdb uses is "%s", which is
easy to confuse with string interpolation. The sqlite3 dbapi, for instance,
uses '?', which is much clearer.

Vijay

--
http://www.wisdomtap.com/
_______________________________________________
BangPypers mailing list
BangPypers@python.org
http://mail.python.org/mailman/listinfo/bangpypers

Reply via email to