[Twisted-Python] util.quote deprecated

Tim Allen screwtape at froup.com
Tue Mar 3 06:04:04 MST 2009


On Tue, Mar 03, 2009 at 01:17:48PM +0100, Pet wrote:
> what is a proper way to escape user input in database query strings?
> I've used quote from twisted.enterprise.util, but it is deprecated now.
> Is there any other module for this purpose?

The correct way to escape user input is not to do it at all, but rather
to leave it up to the DB-API module you're using:

    from twisted.enterprise.adbapi import ConnectionPool

    pool = ConnectionPool("psycopg2")
    d = pool.runQuery("""
	SELECT *
	FROM students
	WHERE name = %s
	""", "Robert '); DROP TABLE students;--")

Note that although I've used "%s" in the query, this is not normal
Python string-formatting, the "%s" is just tells the DB-API module I'm
using (in this case, psycopg2 for PostgreSQL) to quote one of the extra
parameters and insert in that spot. Look up "paramstyle" in the DB-API
spec[1] and the documentation for the DB-API module you're using for
more details.

[1] http://www.python.org/dev/peps/pep-0249/




More information about the Twisted-Python mailing list