On 03/15/2016 01:15 AM, Shaan Repswal wrote:
> The value of the textbox is in String. I just have to call a
> "get_text()" method on a textbox object and I get the string value. I
> used it just a few minutes ago. It's working now. Thanks a lot. I'm not
> too worried about sql injections just yet because the only people about
> to use this application are supposed to have all access anyway.
That attitude is exactly why security flaws are so rampant. How likely
is it that you'll rewrite all your queries the day someone untrusted
gains access to the system? Several classes of bugs are eliminated by
using the DB API correctly, not just security vulnerabilities. Use
psycopg2's value interpolation now or you'll regret it later.
I just fixed a bug in which Postgres received invalid syntax because
Python code sent a value for an interval as an exponential
notation-formatted float. The code would work as long as the the value
wasn't below some threshold so the bug lurked for months. The fix was to
use a Python timedelta value, which psycopg2 always sends to Postgres
correctly as an interval.
You don't have to take my word for it. Read the docs themselves about
the pitfalls of doing your own SQL value formatting:
http://initd.org/psycopg/docs/usage.html#sql-injection
--
Jonathan Rogers
Socialserve.com by Emphasys Software
jrogers@emphasys-software.com