[mod_python] addSlashes() in python, sql cgi question

Michael C. Neel neel at mediapulse.com
Fri Jun 6 10:19:54 EST 2003

     > Back up there.
     > You don't need to use placeholders with the cursor.
     > You need to write non-exploitable CGI code.

Actually, using the placeholder is writing non-exploitable CGI code.
It's standard across drivers that support it, and every major DB does
support placeholders.  It's well tested code too, you're more likely to
make an error writing your own validation routine than find one in the
cursor/database server.

     > I really like Perl's "warn me if I actually use anything 
     > given to me
     > from the outside without validating it" option, but hey, 
     > we're Python
     > programmers -- we shouldn't need our hands held.  
     > Validate, validate,
     > validate.

This problem lies in the safest of areas, concatataion of strings.  All
the use strict, taint's, etc will still allow this to happen.  It's like
using hidden fields for price information in an online store; there is
no compiler warnings to say that's a bad idea.

Placeholders are safer, faster, and simpler.  Really no reason not to
use them.


More information about the Mod_python mailing list