SQL is a serialized protocol. The application sends to the database one
single string no matter what API you use.
The only difference between this:
execute('SELECT * FROM Orders WHERE OrderId=%s' % escape(userdata))
and this
execute('SELECT * FROM Orders WHERE OrderId=?', userdata)
is wheth
I understand what everyone is saying. However, a friend of mine still
questions whether web2py's security model is absolutely rock-solid. Even
though SQL injection is "impossible" in web2py, there may still be a way to
circumvent the security. For example, he says...
Let me illustrate with pseu
http://www.pythonsecurity.org/wiki/web2py/
Ovidio Marinho Falcao Neto
ITJP.NET.BR
ovidio...@gmail.com
itjp.net...@gmail.com
Brasil
2014-02-02 Cliff Kachinske :
> http://web2py.com/books/default/chapter/29/01/intro
http://web2py.com/books/default/chapter/29/01/introduction#Security
On Sunday, February 2, 2014 11:33:02 AM UTC-5, horridohobbyist wrote:
>
> Does web2py have a function or means of "sanitizing" user input in order
> to prevent SQL injection attacks?
>
> Thanks.
>
--
Resources:
- http://web2py
if you pass "raw variables" to DAL's queries, the input is sanitized.
If you instead try to build a query doing cut/paste, e.g.
myquery = "select * from table where field = %s" % raw_variable
then it's not sanitized.
On Sunday, February 2, 2014 5:33:02 PM UTC+1, horridohobbyist wrote:
>
> Does
5 matches
Mail list logo
