|
Roy S. Rapoport
mod_python at ols.inorganic.org
Thu Jun 5 16:18:07 EST 2003
On Thu, Jun 05, 2003 at 06:59:06PM -0400, Michael C. Neel wrote:
> I'm surprised no one has mentioned this yet, but you really need to be
> using placeholders with the cursor; otherwise you are writing
> exploitable code.
>
> Consider this:
>
> C.execute("SELECT name FROM users WHERE user_id='" +
> cgi_submitted_userid + "'")
>
> Now I send my userid as "hackyou'; DELETE FROM users --"
Back up there.
You don't need to use placeholders with the cursor.
You need to write non-exploitable CGI code.
I really like Perl's "warn me if I actually use anything given to me
from the outside without validating it" option, but hey, we're Python
programmers -- we shouldn't need our hands held. Validate, validate,
validate.
-roy
|