59 | | At any cost, try avoiding the use of [http://docs.python.org/lib/typesseq-strings.html string formatting] to get values into the SQL statement. The database automatically escapes values you pass using {{{execute()}}} arguments, the same is not true if you use string formatting. If you '''absolutely cannot avoid''' it, be sure to apply the {{{sql_escape}}} function in [source:/trunk/trac/util.py trac.util] to all parameters you're passing in, to avoid possible [http://en.wikipedia.org/wiki/SQL_injection SQL injection] attacks: |
60 | | |
61 | | {{{ |
62 | | #!python |
63 | | from trac.util import sql_escape |
64 | | cursor.execute("SELECT author,ipnr,comment FROM wiki WHERE name=%s" % sql_escape(thename)) |
65 | | }}} |
| 59 | At any cost, try avoiding the use of [http://docs.python.org/lib/typesseq-strings.html string formatting] to get values into the SQL statement. The database automatically escapes values you pass using {{{execute()}}} arguments, the same is not true if you use string formatting, opening your code up to [http://en.wikipedia.org/wiki/SQL_injection SQL injection] attacks. |