Re: [SQLObject] SQL quoting and injection
SQLObject is a Python ORM.
Brought to you by:
ianbicking,
phd
From: Ian B. <ia...@co...> - 2004-04-23 20:33:31
|
jws...@ra... wrote: > To what degree does SQLObject or SQLbuilder prevent SQL injection attacks? I > will be accepting user input that may contain ('),("), or (;). Do I need to > filter this in my app or does it 'just work'? SQLBuilder handles it, or if you generate your own SQL you can use self.sqlrepr() to do the necessary quoting (like "some_column = %s" % self.sqlrepr(user_input)") |