[Python-3000] DB API SQL injection issue (original) (raw)
Nicko van Someren nicko at nicko.org
Tue May 1 22:38:26 CEST 2007
- Previous message: [Python-3000] DB API SQL injection issue
- Next message: [Python-3000] PEP 3132: Extended Iterable Unpacking
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 1 May 2007, at 20:14, Jason Garber wrote:
In PEP 249 (Python Database API Specification v2.0), there is a paragraph about cursors that reads:
.execute(operation[,parameters]) Prepare and execute a database operation (query or command). Parameters may be provided as sequence or mapping and will be bound to variables in the operation. Variables are specified in a database-specific notation (see the module's paramstyle attribute for details). [5] I propose that the second parameter to execute() is changed to be a required parameter to prevent accidental SQL injection vulnerabilities.
How do you propose to deal with the SQL commands for which there is
no need to do any parameter replacement? This is not at all
uncommon; would you expect to make people type cur.execute("SELECT
DISTINCT zip_code FROM customer_addresses", None) or somesuch?
Nicko- Previous message: [Python-3000] DB API SQL injection issue
- Next message: [Python-3000] PEP 3132: Extended Iterable Unpacking
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]