[Twisted-Python] util.quote deprecated

Amaury Forgeot d'Arc amauryfa at gmail.com
Tue Mar 3 05:50:47 MST 2009


On Tue, Mar 3, 2009 at 13:17, Pet <petshmidt at googlemail.com> wrote:
> Hi,
>
> what is a proper way to escape user input in database query strings?
> I've used quote from twisted.enterprise.util, but it is deprecated now.
> Is there any other module for this purpose?

I can't do better than quote the sqlite documentation. I Hope this helps!
http://docs.python.org/library/sqlite3.html

"""
Usually your SQL operations will need to use values from Python
variables. You shouldn’t assemble your query using Python’s string
operations because doing so is insecure; it makes your program
vulnerable to an SQL injection attack.

Instead, use the DB-API’s parameter substitution. Put ? as a
placeholder wherever you want to use a value, and then provide a tuple
of values as the second argument to the cursor’s execute() method.
(Other database modules may use a different placeholder, such as %s or
:1.) For example:

# Never do this -- insecure!
symbol = 'IBM'
c.execute("... where symbol = '%s'" % symbol)

# Do this instead
t = (symbol,)
c.execute('select * from stocks where symbol=?', t)

# Larger example
for t in [('2006-03-28', 'BUY', 'IBM', 1000, 45.00),
          ('2006-04-05', 'BUY', 'MSOFT', 1000, 72.00),
          ('2006-04-06', 'SELL', 'IBM', 500, 53.00),
         ]:
    c.execute('insert into stocks values (?,?,?,?,?)', t)
"""

-- 
Amaury Forgeot d'Arc




More information about the Twisted-Python mailing list