Path: csiph.com!usenet.pasdenom.info!news.albasani.net!newsfeed.freenet.ag!news2.euro.net!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.181 X-Spam-Level: * X-Spam-Evidence: '*H*': 0.64; '*S*': 0.00; 'skip:l 60': 0.09; 'dangerous,': 0.16; 'escape': 0.16; 'eval': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'subject:programming': 0.16; 'passed': 0.20; 'received:209.85.210.174': 0.20; 'received:mail- iy0-f174.google.com': 0.20; 'wrote:': 0.21; 'of.': 0.22; 'header :In-Reply-To:1': 0.22; 'import': 0.24; 'message- id:@mail.gmail.com': 0.27; 'guys': 0.27; 'not,': 0.27; 'least': 0.27; 'yes.': 0.29; 'code:': 0.31; 'maybe': 0.31; 'problems': 0.31; 'received:209.85': 0.32; 'received:209.85.210': 0.32; 'received:google.com': 0.32; 'in:': 0.33; 'thu,': 0.33; 'received:209': 0.35; 'sql': 0.35; 'really': 0.36; 'sure': 0.36; 'but': 0.36; 'running': 0.36; 'something': 0.38; 'on.': 0.38; 'mind': 0.38; 'being': 0.39; 'to:addr:python-list': 0.39; 'to:addr:python.org': 0.40; 'aware': 0.60; 'your': 0.60; 'mar': 0.61; 'information': 0.61; 'today': 0.62; 'real': 0.63; 'back': 0.63; 'more': 0.63; 'world': 0.65; 'strings': 0.66; 'is.': 0.67; '2012': 0.69; 'worth': 0.70; 'cause': 0.79; 'injection': 0.84; 'inserting': 0.84; '29,': 0.93 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=obEWPKiJs3xye0VvV2tUnaWfpjeZkRqhs3FbhEcehbs=; b=zWCBu3TBkfzgl/0ElqIgY7iRs1DSnm+8xzQPwIGDu8DAA3gEWGV14KYH/VDdarkfCe l/fco5P2POigtfpubsALAjfNXrdyT5eVOjW6eSOKEKMxoaoZlBPZyB+WX1O90BzAEgL/ 1i1vWrY2by9KEp8qmYyNqw6Z0Sq9PHMtCzWTyX1UBKW8T1CRXa1FDxvgZEyznh4Ba/yv TvAKCgpiTBGCYNaYF0BKmmxHWhnM6etF/BRA2XWwhABWuedQhuRZHshrCw2ZkyECGG8g XgEi5GXzAQQWQOWe2nxF8G7R7I5coJGPW5O8oOOZSLC7v36G97TjwWVST0COGOaSAomN 3nug== MIME-Version: 1.0 In-Reply-To: References: <5B80DD153D7D744689F57F4FB69AF4740928C365@SCACMX008.exchad.jpmchase.net> <5B80DD153D7D744689F57F4FB69AF4740928E137@SCACMX008.exchad.jpmchase.net> <4F72385E.8020804@cs.wisc.edu> <5B80DD153D7D744689F57F4FB69AF4740929109C@SCACMX008.exchad.jpmchase.net> Date: Thu, 29 Mar 2012 11:07:47 +1100 Subject: Re: RE: Advise of programming one of my first programs From: Chris Angelico To: python-list@python.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 26 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1332979676 news.xs4all.nl 6873 [2001:888:2000:d::a6]:46990 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:22318 Thu, Mar 29, 2012 at 9:36 AM, Anatoli Hristov wrote: >> > > Um, at least by my understanding, the use of Pickle is also dangerou= s >> > > if you are not completely sure what is being passed in: >> > >> > Oh goodness yes. pickle is exactly as unsafe as eval is. Try running >> > this code: >> > >> > from pickle import loads >> > loads("c__builtin__\neval\n(c__builtin__\nraw_input\n(S'py>'\ntRtR.") >> >> It might be as dangerous, but which is more likely to cause problems in >> real world scenarios? > > Guys this is really something =A0that is not that important at this time = for > me Maybe not, but it's still worth being aware of. Even if today your strings will never include apostrophes, it's still important to understand the risks of SQL injection and properly escape them before inserting them into an SQL statement. Just docket the information in the back of your mind "Don't use pickle with untrusted data" and move on. :) ChrisA