On 14/08/15 19:40, boB Stepp wrote:
"Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method..."
This is not a Sqlite issue its true of any database.
I have to be honest -- I would have fallen into this potential trap
Me too, the first time I used a SQL database. But it didn't take long before a more enlightened colleague advised me of my ignorance! :-)
I had not read this. It is not clear to me yet how the recommendation avoids this issue. Does the placeholder enforce some sort of type checking so that arbitrary SQL strings will be rejected?
Yes, it parses the inputs to detect potential issues, such as rogue semi colons etc.
Having seen this example, are there any other security surprises that I need to avoid by adopting certain coding techniques when I am using Python with SQLite?
As I say, it's not just SQLite, its any database. And the same is true of handling URLs etc you should always use library parsing and escaping routines to build them. Especially when inserting data from users or received data files. hth -- Alan G Author of the Learn to Program web site http://www.alan-g.me.uk/ http://www.amazon.com/author/alan_gauld Follow my photo-blog on Flickr at: http://www.flickr.com/photos/alangauldphotos _______________________________________________ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
