Skip site navigation (1) Skip section navigation (2)

Re: Sql injection attacks

From: Pierre-Frédéric Caillaud <lists(at)boutiquenumerique(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: Sql injection attacks
Date: 2004-07-27 06:37:23
Message-ID: opsbr90lipcq72hf@musicbox (view raw or flat)
Thread:
Lists: pgsql-general
	Python has an interface like this :

	params = { 'mystrfield': 'hello', 'myintfield': 5 }

	cursor.execute( "SELECT myfield FROM mytable WHERE
mystrfield=%(foo)s AND myintfield=%(bar)d;" , params )

	It has the following advantages :
	- separation of sql from data
	- named parameters
		- no problem with order
		- one parameter can be reused several times
	- automatic escaping of strings
	- automatic enforcement of int, float etc types with %d and %f (throws an  
exception otherwise)

	The only problem so far with Python's dbapi is that it does not  
understand arrays so they have to be stringified first.


In response to

pgsql-general by date

Next:From: Pierre-Frédéric CaillaudDate: 2004-07-27 06:52:20
Subject: Sequences & rules
Previous:From: Tom AllisonDate: 2004-07-27 05:58:54
Subject: Re: Sql injection attacks

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group