Groups | Search | Server Info | Login | Register
Groups > comp.databases > #18904
| Path | csiph.com!news.swapon.de!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail |
|---|---|
| From | Lawrence D'Oliveiro <ldo@nz.invalid> |
| Newsgroups | comp.databases |
| Subject | Quoting SQL Strings |
| Date | Mon, 29 Apr 2024 02:53:46 -0000 (UTC) |
| Organization | A noiseless patient Spider |
| Lines | 8 |
| Message-ID | <v0n23q$1gkpa$2@dont-email.me> (permalink) |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset=UTF-8 |
| Content-Transfer-Encoding | 8bit |
| Injection-Date | Mon, 29 Apr 2024 04:53:47 +0200 (CEST) |
| Injection-Info | dont-email.me; posting-host="04215bbbe15e1cd8ac94ba1cee5d62b8"; logging-data="1594154"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18wjzhDJeOGTH8l3wiU2gkZ" |
| User-Agent | Pan/0.155 (Kherson; fc5a80b8) |
| Cancel-Lock | sha1:4sQ/mdqU4eU4BqHT+U7uk8F8yOY= |
| Xref | csiph.com comp.databases:18904 |
Show key headers only | View raw
People see dynamic generation of SQL queries as some kind of black art.
“Use templates and prepared statements”, they say. “Fear the SQL injection
attack”, they say.
Turning a string value into a literal for use in an SQL query is really
very simple. In Python, this is all it takes:
"'" + s.replace("'", "''") + "'"
Back to comp.databases | Previous | Next | Find similar
Quoting SQL Strings Lawrence D'Oliveiro <ldo@nz.invalid> - 2024-04-29 02:53 +0000
csiph-web