[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnumed-devel] Commas

From: Karsten Hilbert
Subject: Re: [Gnumed-devel] Commas
Date: Thu, 26 Jun 2003 08:30:22 +0200
User-agent: Mutt/

> I have found gmConfigRegistry was crashing out because I had called my 
> machine "Ian's home" the comma messing up the
> SQL query.
There's also a few other "malicious" things that need to be quoted
that would form the basis of an SQL injection attack: " '); delete
* from ...;" added to some value.

> I have added the function gmPG.esc () which will perform this conversion, 
> please use it whereever you are added an unknown string 
> into a query.
This is good for now but I am planning to audit gmCfg and
convert it to this behaviour:

> I notice the convention cursor.execute (query, arg1, arg2, ...) is being 
> used: does this also do this conversion?
Yes and this is (according to a recent statement of Gerhard
Häring of pyPgSQL fame on pgsql-general) the preferred way of
doing the quoting as only the DB-API module really knows how
this particular database needs it's stuff quoted. And
supposedly it will also check for the above injection attack
stuff. In fact, on Oracle, the module won't even do the
substitution as Oracle allows to send SQL with placeholders
and values for substitution separately doing the substitution
all by itself !

GPG key ID E4071346 @
E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346

reply via email to

[Prev in Thread] Current Thread [Next in Thread]