On Jun 24, 4:56 pm, Christian Joergensen <[EMAIL PROTECTED]> wrote:
> The problem with SQL injections shouldn't IMHO be solved at driver
> level, but is an application level problem.
This is plain wrong, especially if you want to support more than a
single backend in your application. The driver knows the peculiarities
of the backend and can quote query arguments accordingly and even use
backend features (like preparing queries and sending typed binary
parameters instead of strings). You can try to do the same in your
application but it is a lot of work (and no, sql.replace("'", "''") is
not enough, especially if you allow multi-byte encodings). So, if you
want to stay on the secure side, choose a well-tested driver and let
it do its work.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
