| From: | Pierre-Frédéric Caillaud <lists(at)boutiquenumerique(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Sql injection attacks |
| Date: | 2004-07-27 06:37:23 |
| Message-ID: | opsbr90lipcq72hf@musicbox |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Python has an interface like this :
params = { 'mystrfield': 'hello', 'myintfield': 5 }
cursor.execute( "SELECT myfield FROM mytable WHERE
mystrfield=%(foo)s AND myintfield=%(bar)d;" , params )
It has the following advantages :
- separation of sql from data
- named parameters
- no problem with order
- one parameter can be reused several times
- automatic escaping of strings
- automatic enforcement of int, float etc types with %d and %f (throws an
exception otherwise)
The only problem so far with Python's dbapi is that it does not
understand arrays so they have to be stringified first.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pierre-Frédéric Caillaud | 2004-07-27 06:52:20 | Sequences & rules |
| Previous Message | Tom Allison | 2004-07-27 05:58:54 | Re: Sql injection attacks |