Tor Erik Soenvisen wrote:
> How safe is the following code against SQL injection:
>
> # Get user privilege
> digest = sha.new(pw).hexdigest()
> # Protect against SQL injection by escaping quotes
> uname = uname.replace("'", "''")
> sql = 'SELECT privilege FR
In article <[EMAIL PROTECTED]>,
Tor Erik Soenvisen <[EMAIL PROTECTED]> wrote:
>
>How safe is the following code against SQL injection:
>
># Get user privilege
>digest = sha.new(pw).hexdigest()
># Protect against SQL injection by escaping quotes
>uname = uname.replac
Tor Erik Soenvisen wrote:
> Hi,
>
> How safe is the following code against SQL injection:
>
> # Get user privilege
> digest = sha.new(pw).hexdigest()
> # Protect against SQL injection by escaping quotes
> uname = uname.replace("'", "''")
> sql = 'SELECT pri
Ben Finney wrote:
> More specifically: They've been debugged for just these kinds of
> purposes
in a well-designed database, the SQL parser never sees the parameter values,
so *injection* attacks are simply not possible.
--
http://mail.python.org/mailman/listinfo/python-list
Paul Rubin <"http://phr.cx"@NOSPAM.invalid> writes:
> Tor Erik Soenvisen <[EMAIL PROTECTED]> writes:
> > # Protect against SQL injection by escaping quotes
>
> Don't ever do that, safe or not. Use query parameters instead.
> That's what they're for.
More specifically: They've been debugg
Tor Erik Soenvisen <[EMAIL PROTECTED]> writes:
> # Protect against SQL injection by escaping quotes
Don't ever do that, safe or not. Use query parameters instead.
That's what they're for.
--
http://mail.python.org/mailman/listinfo/python-list
Hi,
How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace("'", "''")
sql = 'SELECT privilege FROM staff WHERE ' + \
