David Bear wrote: >>Steve Holden wrote: > > >>Fredrik Lundh wrote: >> >>>Frank Millman wrote: >>> >>> >>> >>>>Each of the API's includes the capability of passing commands in the >>>>form of 'string + parameters' directly into the database. This means >>>>that the data values are never embedded into the SQL command at all, >>>>and therefore there is no possibility of injection attacks. >>> >>> > > My news server didn't get Franks initial post to the group, so I'm glad that > Steve included it in his followup. > > The statement above can cause relief or pain. Letting the DBAPI handle > proper string escapes, formating, etc., is a big relief. However, I am > still wondering what happens under the covers. If I have a string '1\n' > that I've read from some source and I really intend on inserting it into > the data base as a number 1, if the tape column it goes into is of type int > or num or float, will the DBAPI really know what to do with the newline? > > > Yes. If you read the DB API documentation (http://www.python.org/peps/pep-0249.html) you will see that there's a section on "Type Objects and Constructors". It's those that ensure a value will be coerced into the required form if possible.
regards Steve -- Steve Holden +44 150 684 7255 +1 800 494 3119 Holden Web LLC www.holdenweb.com PyCon TX 2006 www.python.org/pycon/ -- http://mail.python.org/mailman/listinfo/python-list
