Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #3671
| Path | csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!aioe.org!feeder.news-service.com!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <rosuav@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.005 |
| X-Spam-Evidence | '*H*': 0.99; '*S*': 0.00; 'escape': 0.04; 'sorts': 0.04; 'wed,': 0.04; 'string,': 0.05; 'anyway).': 0.07; 'function,': 0.07; 'backslash': 0.09; 'syntax.': 0.09; 'weak': 0.09; 'pm,': 0.11; 'wrote:': 0.14; 'library': 0.15; '(eg': 0.16; 'apostrophe': 0.16; 'blindly': 0.16; 'disagree.': 0.16; 'ever.': 0.16; 'foo,': 0.16; 'input.': 0.16; 'overflow': 0.16; 'semicolon': 0.16; 'type...': 0.16; 'libraries': 0.16; 'input': 0.18; 'seems': 0.21; 'appropriate': 0.21; 'header:In-Reply-To:1': 0.22; 'convenience': 0.23; 'environment': 0.26; 'regardless': 0.26; 'chris': 0.27; 'function': 0.27; 'message-id:@mail.gmail.com': 0.28; "doesn't": 0.28; 'forgot': 0.29; 'all.': 0.30; 'seem': 0.30; 'character.': 0.31; 'characters,': 0.31; 'control.': 0.31; 'jean- paul': 0.31; 'throwing': 0.31; 'does': 0.31; 'anyone': 0.31; 'called': 0.32; 'to:addr:python-list': 0.32; 'agree': 0.32; 'someone': 0.33; 'using': 0.34; 'actually': 0.34; 'function.': 0.35; 'quite': 0.36; 'too': 0.36; 'allow': 0.36; 'think': 0.36; 'case,': 0.36; 'else': 0.37; 'some': 0.37; 'should': 0.37; 'received:209.85': 0.37; 'issue': 0.37; '20,': 0.38; 'apr': 0.38; 'received:google.com': 0.38; 'user': 0.38; 'but': 0.38; 'happens': 0.38; 'so,': 0.38; 'database': 0.38; 'used': 0.38; 'anything': 0.38; 'unless': 0.38; 'set': 0.39; 'submit': 0.39; 'to:addr:python.org': 0.39; 'comes': 0.39; 'where': 0.39; 'received:209': 0.39; 'would': 0.40; "it's": 0.40; 'header:Received:5': 0.40; 'happen': 0.61; '2011': 0.62; 'internet': 0.62; 'ever': 0.65; 'database.': 0.69; 'hand,': 0.72; 'protect': 0.76; '"user': 0.84; 'injection': 0.84; 'often.': 0.84; 'poorly': 0.84; 'received:209.85.210.174': 0.84; 'received:mail- iy0-f174.google.com': 0.84; 'schrieb': 0.84; 'subject:over': 0.84 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=C84LTRRVpJ3I0h8GyrE8Y/lQwnUrYOgkO8Q4jO1q1Xw=; b=LK98smRQWnFMql+F6gYwjifvEC8p/N18NCuR5+0i/VT4GvuTCsB+jMYCq8cebXKJ55 KW8iz2Wcj0k59NWBQwnOujXuNDNg0Y8Kh2eBBeaxlDBUeRSAClYZ7Wg5LBS4mJyDl+Wd LOwHQV3LbXk9y95SqpBStTl+l0hL0IHtGYqkE= |
| DomainKey-Signature | a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=dlVRIl5J8Vy10zZwBBHwnEiF/7bhFW18Pwy1OfU6uXx62z0vykVFKlbW3D0zXbccRU yWl8Gq+fiMQdrS0CZu8MeI0Bff1fPfQ+5Qu640z0fX3p6lk4EAEr1CHdqyc9FZqP06MD lo+JB8xXVEaKftIznaFGgamMIk7oaONNJkHag= |
| MIME-Version | 1.0 |
| In-Reply-To | <20110420111723.2daf2437@chaostal.de> |
| References | <61890800-f81a-4a1e-8905-a0237407f016@a21g2000prj.googlegroups.com> <BANLkTi=1d4k6QfscN_F_fPddznfQUuY6wA@mail.gmail.com> <mailman.582.1303241870.9059.python-list@python.org> <7744bf8c-0df6-4dc9-a977-7234d571643f@r4g2000prm.googlegroups.com> <7a56699d-7387-49a0-8c4f-f794df43df00@22g2000prx.googlegroups.com> <20110420084431.0480aa41@chaostal.de> <BANLkTiksqp-RMyJj8UcbquiYxHZJqeSj-w@mail.gmail.com> <20110420093419.4b83fe4b@chaostal.de> <BANLkTim59M9ti6Dq+4=UCZxg_ZiXGX=LUA@mail.gmail.com> <20110420111723.2daf2437@chaostal.de> |
| Date | Wed, 20 Apr 2011 19:26:44 +1000 |
| Subject | Re: Pickling over a socket |
| From | Chris Angelico <rosuav@gmail.com> |
| To | python-list@python.org |
| Content-Type | text/plain; charset=ISO-8859-1 |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.12 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.631.1303291608.9059.python-list@python.org> (permalink) |
| Lines | 59 |
| NNTP-Posting-Host | 82.94.164.166 |
| X-Trace | 1303291608 news.xs4all.nl 41114 [::ffff:82.94.164.166]:39889 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | x330-a1.tempe.blueboxinc.net comp.lang.python:3671 |
Show key headers only | View raw
On Wed, Apr 20, 2011 at 7:17 PM, Bastian Ballmann <balle@chaostal.de> wrote: > Well you forgot to escape ; and \ but this seems to slide into OT ;) The semicolon doesn't need to be escaped in a quoted string, and the backslash does only if it's the escape character. The string-safetifier function that I used with DB2 was called "dblapos" because it simply doubled every apostrophe - nothing else needed. On the other hand, mysql_real_escape_string will escape quite a few characters, for convenience in reading dumps. > Am Wed, 20 Apr 2011 18:43:01 +1000 > schrieb Chris Angelico <rosuav@gmail.com>: > >> So, like Jean-Paul said, you simply do not trust anything that comes >> from the network. Ever. > > If you generalize it in this way you should never trust any user input > regardless if it comes from the net or from local or the environment > etc. Yes, but the other half of the issue is that you have to treat anything that comes over the network as "user input", even if you think it's from your own program that you control. >> Urrrm. You can "own" a "complete computer" with SQL injection? Then >> someone has some seriously weak protection. > > Yes and the database is poorly protected, but this happens way too > often. That's just *sad*. >> SQL injection is easier to >> protect against than buffer overruns, and with a lot of function >> libraries > > I totally disagree. Buffer overflow is just a matter of size checking, > but sql injection is a matter of syntax. It's more than just throwing > the input into a magic auto-escape function. Buffer overruns can happen in all sorts of places; SQL injection can only happen where you talk to the database. And it IS just a matter of using a magic auto-escape function, if your library is set up right - unless, of course, you allow your users to submit SQL themselves (eg a WHERE clause). That's almost impossible to sanitize, which is why I would never EVER allow such a thing unless it's actually a trusted environment (eg PHPMyAdmin - anyone who has access to PMA has access to the database anyway). > We both agree that one should never trust user input blindly and we also > seem to conform to one can use user input in a appropriate way that's > not the case, but if i read your mail i think you want to tell me one > should never ever use the internet or only write programs without user > input at all. Not at all; just never *trust* user input. Where thou typest foo, someone someday will type... ChrisA
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar
Pickling over a socket Roger Alexander <rtalexander@mac.com> - 2011-04-19 11:53 -0700
Re: Pickling over a socket Chris Rebert <clp2@rebertia.com> - 2011-04-19 12:21 -0700
Re: Pickling over a socket Chris Angelico <rosuav@gmail.com> - 2011-04-20 05:29 +1000
Re: Pickling over a socket Dan Stromberg <drsalists@gmail.com> - 2011-04-19 12:30 -0700
Re: Pickling over a socket Chris Angelico <rosuav@gmail.com> - 2011-04-20 05:37 +1000
Re: Pickling over a socket Roger Alexander <rtalexander@mac.com> - 2011-04-19 15:27 -0700
Re: Pickling over a socket Jean-Paul Calderone <calderone.jeanpaul@gmail.com> - 2011-04-19 19:28 -0700
Re: Pickling over a socket Bastian Ballmann <balle@chaostal.de> - 2011-04-20 08:44 +0200
Re: Pickling over a socket Chris Angelico <rosuav@gmail.com> - 2011-04-20 16:59 +1000
Re: Pickling over a socket Bastian Ballmann <balle@chaostal.de> - 2011-04-20 09:34 +0200
Re: Pickling over a socket Thomas Rachel <nutznetz-0c1b6768-bfa9-48d5-a470-7603bd3aa915@spamschutz.glglgl.de> - 2011-04-20 10:25 +0200
[OT] Re: Pickling over a socket Bastian Ballmann <balle@chaostal.de> - 2011-04-20 10:59 +0200
Re: Pickling over a socket Chris Angelico <rosuav@gmail.com> - 2011-04-20 19:26 +1000
Re: Pickling over a socket Bastian Ballmann <balle@chaostal.de> - 2011-04-20 11:41 +0200
csiph-web