psycopg/psycopg2
1
1
Fork 0
mirror of https://github.com/psycopg/psycopg2.git synced 2024-11-25 18:33:44 +03:00
Code Issues Packages Projects Releases Wiki Activity

In 2010 I couldn't speak English

Browse Source
This commit is contained in:
Daniele Varrazzo 2014-09-11 12:08:11 +01:00
parent 839e4abf39
commit d6688b6689
1 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
doc/src/usage.rst
View File

@ -145,13 +145,15 @@ query:
The problem with the query parameters The problem with the query parameters
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The SQL representation for many data types is often not the same of the Python The SQL representation of many data types is often different from their Python
string representation. The classic example is with single quotes in string representation. The typical example is with single quotes in strings:
strings: SQL uses them as string constants bounds and requires them to be in SQL single quotes are used as string literal delimiters, so the ones
escaped, whereas in Python single quotes can be left unescaped in strings appearing inside the string itself must be escaped, whereas in Python single
bounded by double quotes. For this reason a naïve approach to the composition quotes can be left unescaped if the string is delimited by double quotes.
of query strings, e.g. using string concatenation, is a recipe for terrible
problems:: Because of the difference, sometime subtle, between the data types
representations, a naïve approach to query strings composition, such as using
Python strings concatenation, is a recipe for *terrible* problems::
>>> SQL = "INSERT INTO authors (name) VALUES ('%s');" # NEVER DO THIS >>> SQL = "INSERT INTO authors (name) VALUES ('%s');" # NEVER DO THIS
>>> data = ("O'Reilly", ) >>> data = ("O'Reilly", )
@ -160,13 +162,13 @@ problems::
LINE 1: INSERT INTO authors (name) VALUES ('O'Reilly') LINE 1: INSERT INTO authors (name) VALUES ('O'Reilly')
^ ^
If the variable containing the data to be sent to the database comes from an If the variables containing the data to send to the database come from an
untrusted source (e.g. a form published on a web site) an attacker could untrusted source (such as a form published on a web site) an attacker could
easily craft a malformed string, either gaining access to unauthorized data or easily craft a malformed string, either gaining access to unauthorized data or
performing destructive operations on the database. This form of attack is performing destructive operations on the database. This form of attack is
called `SQL injection`_ and is known to be one of the most widespread forms of called `SQL injection`_ and is known to be one of the most widespread forms of
attack to servers. Before continuing, please print `this page`__ as a memo and attack to database servers. Before continuing, please print `this page`__ as a
hang it onto your desk. memo and hang it onto your desk.
.. _SQL injection: http://en.wikipedia.org/wiki/SQL_injection .. _SQL injection: http://en.wikipedia.org/wiki/SQL_injection
.. __: http://xkcd.com/327/ .. __: http://xkcd.com/327/