Re: Sql injection attacks - Mailing list pgsql-general

From Pierre-Frédéric Caillaud
Subject Re: Sql injection attacks
Date
Msg-id opsbr90lipcq72hf@musicbox
Whole thread Raw
In response to Re: Sql injection attacks  (Tom Allison <tallison@tacocat.net>)
List pgsql-general
    Python has an interface like this :

    params = { 'mystrfield': 'hello', 'myintfield': 5 }

    cursor.execute( "SELECT myfield FROM mytable WHERE
mystrfield=%(foo)s AND myintfield=%(bar)d;" , params )

    It has the following advantages :
    - separation of sql from data
    - named parameters
        - no problem with order
        - one parameter can be reused several times
    - automatic escaping of strings
    - automatic enforcement of int, float etc types with %d and %f (throws an
exception otherwise)

    The only problem so far with Python's dbapi is that it does not
understand arrays so they have to be stringified first.


pgsql-general by date:

Previous
From: Tom Allison
Date:
Subject: Re: Sql injection attacks
Next
From: Pierre-Frédéric Caillaud
Date:
Subject: Sequences & rules