>Steve Holden wrote: > Fredrik Lundh wrote: >> Frank Millman wrote: >> >> >>>Each of the API's includes the capability of passing commands in the >>>form of 'string + parameters' directly into the database. This means >>>that the data values are never embedded into the SQL command at all, >>>and therefore there is no possibility of injection attacks. >> >>
My news server didn't get Franks initial post to the group, so I'm glad that Steve included it in his followup. The statement above can cause relief or pain. Letting the DBAPI handle proper string escapes, formating, etc., is a big relief. However, I am still wondering what happens under the covers. If I have a string '1\n' that I've read from some source and I really intend on inserting it into the data base as a number 1, if the tape column it goes into is of type int or num or float, will the DBAPI really know what to do with the newline? -- David Bear -- let me buy your intellectual property, I want to own your thoughts -- -- http://mail.python.org/mailman/listinfo/python-list
