Message272238
| Author |
Eyal Mor |
| Recipients |
Eyal Mor, docs@python |
| Date |
2016年08月09日.12:29:34 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1470745775.08.0.0704550754852.issue27717@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
In the SQlite module documentation there a code section showing how to securely use the sqlite.execute method.
The problem with this code section is that just from a glance, without reading the paragraph before, or the comments in the section, users could use the insecure version.
It would be better if only a secure example would be in the code section.
https://docs.python.org/2/library/sqlite3.html
Section:
# Never do this -- insecure!
symbol = 'RHAT'
c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)
# Do this instead
t = ('RHAT',)
c.execute('SELECT * FROM stocks WHERE symbol=?', t)
print c.fetchone()
# Larger example that inserts many records at a time
purchases = [('2006-03-28', 'BUY', 'IBM', 1000, 45.00),
('2006-04-05', 'BUY', 'MSFT', 1000, 72.00),
('2006-04-06', 'SELL', 'IBM', 500, 53.00),
]
c.executemany('INSERT INTO stocks VALUES (?,?,?,?,?)', purchases) |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2016年08月09日 12:29:35 | Eyal Mor | set | recipients:
+ Eyal Mor, docs@python |
| 2016年08月09日 12:29:35 | Eyal Mor | set | messageid: <1470745775.08.0.0704550754852.issue27717@psf.upfronthosting.co.za> |
| 2016年08月09日 12:29:34 | Eyal Mor | link | issue27717 messages |
| 2016年08月09日 12:29:34 | Eyal Mor | create |
|