Re: [SQLObject] SQL quoting and injection
SQLObject is a Python ORM.
Brought to you by:
ianbicking,
phd
Menu
▾
▴
Re: [SQLObject] SQL quoting and injection
|
From: Ian B. <ia...@co...> - 2004-04-23 20:33:31
|
jws...@ra... wrote:
> To what degree does SQLObject or SQLbuilder prevent SQL injection attacks? I
> will be accepting user input that may contain ('),("), or (;). Do I need to
> filter this in my app or does it 'just work'?
SQLBuilder handles it, or if you generate your own SQL you can use
self.sqlrepr() to do the necessary quoting (like "some_column = %s" %
self.sqlrepr(user_input)")
|