Вопрос
The Python docs state that
https://stackoverflow.com/questions/23556631
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian# Never do this -- insecure!
symbol = 'RHAT'
c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)
# Do this instead
t = ('RHAT',)
c.execute('SELECT * FROM stocks WHERE symbol=?', t)
print c.fetchone()
I understand that the first option is vulnerable to an SQL injection attack. What I don't understand is why the second option would be more secure. Aren't these identical?
Решение
No - the execute method will take care to escape the argument correctly. Thus, if t is Robert'); DROP TABLE Students;--, the full command that would be transmitted to the DB engine in the second case would be something like
SELECT * FROM stocks WHERE symbol='Robert\'); DROP TABLE Students;--'
which is secure (note the backslash).
EDIT: (Actually, do note the comment by CL)
