2008/4/13, Steve Holden <[EMAIL PROTECTED]>: > > Vlastimil Brom wrote: > > > ... are there any (security > > ...) risks of using string interpolation for table and column names in > the SQL commands? Or > > are the values, where parametrization (with ? in sqlite3) is supported, > > the only vulnerable part; whereas eg. an incorrect value of what should > > be a name is safe (of course, apart from the unsuccessful command > itself)? > > > > Ultimately that depends where the table and column names come from. If > they are user inputs then you are still vulnerable to SQL injection, but > usually that's not the case when a query is being parameterized - > usually it's values. > > As long as you consider the source of your data carefully you'll > probably be OK. > > > regards > Steve > -- > Steve Holden +1 571 484 6266 +1 800 494 3119 > Holden Web LLC http://www.holdenweb.com/ > > Thanks again, there shouldn't be any unsecure data I am now aware of; I just didn't want to introduce possible problem sources, if there would be some more appropriate solution available :-)
Regards, Vlasta
-- http://mail.python.org/mailman/listinfo/python-list
