[mod_python] addSlashes() in python, sql cgi question

Roy S. Rapoport mod_python at ols.inorganic.org
Thu Jun 5 16:18:07 EST 2003

On Thu, Jun 05, 2003 at 06:59:06PM -0400, Michael C. Neel wrote:
> I'm surprised no one has mentioned this yet, but you really need to be
> using placeholders with the cursor; otherwise you are writing
> exploitable code.
> Consider this:
> C.execute("SELECT name FROM users WHERE user_id='" +
> cgi_submitted_userid + "'")
> Now I send my userid as "hackyou'; DELETE FROM users --"

Back up there.

You don't need to use placeholders with the cursor.
You need to write non-exploitable CGI code.

I really like Perl's "warn me if I actually use anything given to me
from the outside without validating it" option, but hey, we're Python
programmers -- we shouldn't need our hands held.  Validate, validate,


More information about the Mod_python mailing list