Why The Sql Command Is Insecure?
when i am reading :http://docs.python.org/2/library/sqlite3.html # Never do this -- insecure! symbol = 'RHAT' c.execute('SELECT * FROM stocks WHERE symbol = '%s'' % symbol)
Solution 1:
Think about what happens if symbol contains, say, ' OR '' = ' -- an attacker could insert completely arbitrary criteria for the query. This is of particular concern if you have information about other customers' accounts in the same table, or are doing an update.
Also, http://xkcd.com/327/
Post a Comment for "Why The Sql Command Is Insecure?"