In article <[EMAIL PROTECTED]>,
Tor Erik Soenvisen <[EMAIL PROTECTED]> wrote:
>
>How safe is the following code against SQL injection:
>
> # Get user privilege
> digest = sha.new(pw).hexdigest()
> # Protect against SQL injection by escaping quotes
> uname = uname.replace("'", "''")
> sql = 'SELECT privilege FROM staff WHERE ' + \
> 'username=\'%s\' AND password=\'%s\'' % (uname, digest)
> res = self.oraDB.query(sql)
Do yourself a favor at least and switch to using double-quotes for the
string. I also recommend switching to triple-quotes to avoid the
backslash continuation.
--
Aahz ([EMAIL PROTECTED]) <*> http://www.pythoncraft.com/
"If you don't know what your program is supposed to do, you'd better not
start writing it." --Dijkstra
--
http://mail.python.org/mailman/listinfo/python-list
