|
|
|
|
12-09-2005, 08:07 AM
|
#11 |
Re: sql escaping module - Frank Millman Followup
David Bear wrote:
>>Steve Holden wrote: > > >>Fredrik Lundh wrote: >> >>>Frank Millman wrote: >>> >>> >>> >>>>Each of the API's includes the capability of passing commands in the >>>>form of 'string + parameters' directly into the database. This means >>>>that the data values are never embedded into the SQL command at all, >>>>and therefore there is no possibility of injection attacks. >>> >>> > > My news server didn't get Franks initial post to the group, so I'm glad that > Steve included it in his followup. > > The statement above can cause relief or pain. Letting the DBAPI handle > proper string escapes, formating, etc., is a big relief. However, I am > still wondering what happens under the covers. If I have a string '1\n' > that I've read from some source and I really intend on inserting it into > the data base as a number 1, if the tape column it goes into is of type int > or num or float, will the DBAPI really know what to do with the newline? > > > Yes. If you read the DB API documentation (http://www.python.org/peps/pep-0249.html) you will see that there's a section on "Type Objects and Constructors". It's those that ensure a value will be coerced into the required form if possible. regards Steve -- Steve Holden +44 150 684 7255 +1 800 494 3119 Holden Web LLC www.holdenweb.com PyCon TX 2006 www.python.org/pycon/ Steve Holden |
|
|
 |
| Thread Tools | Search this Thread |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Prerequisites 70-745 (Business Intelligence) | Valmont | MCITP | 3 | 06-24-2008 03:03 PM |
| SQL Server 2008 delayed into Q3 2008 | darrilgibson@cox.net | MCITP | 0 | 01-27-2008 10:26 PM |
| MCITP SQL Server 2005 or SQL Server 2008 | Darrilgibson@gmail.com | MCITP | 0 | 12-19-2007 01:56 PM |
| SQL Developer Bootcamp | Dragon | MCITP | 1 | 08-10-2007 03:20 PM |
| SQL Server 2005 Migration Assistant Autonumber problem. | LarryWestMCSD | MCTS | 1 | 03-28-2007 02:08 AM |
