Learn More
Resend Email
667
AnonymousCoder
7y

Man, that's a pretty serious SQL warning..

undefined
Favorite
Ranter
Comments
  • 9
    7y
    Does it blow up the system😅😮
  • 32
    7y
    @hiteshd45 No, but it might cause your data to run away from home.
  • 7
    7y
    Been there before! Spent months refactoring code with that horrible security. SQL injection at its finest.
  • 2
    7y
    @destructor oh my. It's time to delete that crap and start fresh.
  • 0
    7y
    So python is as insecure as php?
  • 2
    7y
    I'm doing that but it's inside an AWS lambda function. The variables are within the function; nothing from the outside is used. I assume I don't have to worry there.
  • 4
    7y
    Python3 correct way
    Sqlite_query = ("update table set col1 = ?, col2 = ?", ('data1', 'data2'))
  • 9
    7y
    @edwrodrig They're tools. If you use any tool in an insecure way, the result is a security hole.
  • 8
    7y
    @edwrodrig That has nothing to do with python...it is the fault of the programmer if it is insecure....if I set my SSH password to "123456" and someone gets in you don't blame it on SSH would you ? same with sql injection....if you use it wrong it can be insecure
  • 5
    7y
    I was wondering where the screenshot is from, here it is: http://initd.org/psycopg/docs/...
  • 1
    7y
    It was sarcasm. Some people argues in typical Python vs Php comparison that Python is more secure PHP because SQL injections, which is a stupid argument.
  • 1
    7y
    Im just wondering, does any system, do this anymore?
    Like most people I see go with a sql-injection safe ORM or somethign right?? Its hard for me to believe any valuable app to do this nowadays.
    Yeah, maybe like back then when writing raw sql in php was the only way to go, but today? Idk
  • 2
    7y
    @jackgreen There are a lot of idiots out there, I've seen SQL injections in laravel codebases using DB:raw with concatenated shit, The idiot who wrote it excused it with it being "Faster" (while it is true that the query builder adds some overhead and doesn't always generate great SQL you can still bind your parameters)
  • 1
    7y
    @ItsNotMyFault Jesus😑
  • 2
    7y
    @Jop- I really really like that wording 😊
  • 1
    7y
    I'll just say this:

    ' 1=1; --
  • 1
    7y
    @SHA-256 was going to say the same. Glad you got to it first!
  • 2
    7y
    @AnonymousCoder Can you provide me the link of this doc ? I want to surprise my friend who is using postgres and python in his app ..
  • 1
    7y
    @captain-sully link is already given by "fradow"... See above comment
  • 1
    7y
    @AnonymousCoder oh my bad. Didn't read all the comments​. Tnx btw for the quick response and the laugh :)
  • 0
    7y
    That's wht the reason i dont choose python as my skill list
  • 0
    7y
    @fidellr Because it warns you about a possible user error ?
  • 0
    7y
    @destructor this was going to be my comment word for word
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment