Skip site navigation (1) Skip section navigation (2)

Re: Protection from SQL injection

From: Joe <dev(at)freedomcircle(dot)net>
To: Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it>
Cc: pgsql-sql(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-27 18:25:06
Message-ID: 4814C502.7070604@freedomcircle.net (view raw or flat)
Thread:
Lists: pgsql-sql
Ivan Sergio Borgonovo wrote:
> That's better than nothing but it is still a lot of code duplication.
> You've to write column names in the sql statement and in the array
> and... column values are not contextual to the statement.
>   

The apparent duplication in the example stems for its tutorial nature. 
In a real program, the namedict "array" (it's actually a Python 
tuple--an immutable array) would normally be constructed 
programmatically from user or other input. Note also that although 
Joshua chose to use dictionary keys named identical to the PG column 
names, they could be named differently, like "first" and "last".
> That's easy... while what I wrote above does look as requiring a
> really special parser.
>
> Furthermore from the example it looks as if all this is going to
> miss the scope to prevent sql injection since it doesn't support
> prepared statements.
>   

I assume you didn't check the PEP 249 
(http://www.python.org/dev/peps/pep-0249/). The execute() and 
executemany() Cursor object methods are precisely to prepare and execute 
database operations.

Joe

In response to

pgsql-sql by date

Next:From: Thomas MuellerDate: 2008-04-27 18:43:32
Subject: Re: Protection from SQL injection
Previous:From: Ivan Sergio BorgonovoDate: 2008-04-27 17:18:40
Subject: Re: Protection from SQL injection

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group