Yes, Steve you have a very good point. Gregarcian, I am using the parameterized SQL to avoid such vulunerability. for example in your example use name = "%'WAITFOR DELAY '00:00:03'--%" and directly substitute it to the statement "select * from table_name where name like '%s' " % (name) The server will have to wait for three seconds and will return all the rows in the table, which is unwanted. I am trying to use parameterized statements to avoid these sort of SQL injection problems and have not managed yet to fix the LIKE and IN statement problems.
/Raja Raman -- http://mail.python.org/mailman/listinfo/python-list
