Secure Python code - volunteers for code review?
Gerhard Haering
gh at ghaering.de
Wed Oct 13 10:53:54 EDT 2004
More information about the Python-list mailing list
Wed Oct 13 10:53:54 EDT 2004
- Previous message (by thread): Secure Python code - volunteers for code review?
- Next message (by thread): Secure Python code - volunteers for code review?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Oct 12, 2004 at 10:25:58PM -0700, Cliff Wells wrote: > [Josiah Carlson requests a security review of his code storing/receiving > email data from a PostgreSQL database] > > A more straightforward way is to simply use prepare() religiously. > This also avoids the headache of having to decode your data if you > use a different program to access it (such as psql or mysql). There's no prepare() in the DB-API. Letting the database module do the quoting should be enough to stay clear of SQL injection attacks. And this his code does, from what I can see. The SQL stuff is hard to read for me, though. Maybe the database access code should be factored out more and put in a class of its own. -- Gerhard
- Previous message (by thread): Secure Python code - volunteers for code review?
- Next message (by thread): Secure Python code - volunteers for code review?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list