| From: | Karsten Hilbert <Karsten(dot)Hilbert(at)gmx(dot)net> |
|---|---|
| To: | psycopg(at)postgresql(dot)org |
| Subject: | Re: Encountered an error |
| Date: | 2016-03-15 17:04:34 |
| Message-ID: | 20160315170434.GA19908@hermes.hilbert.loc |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | psycopg |
On Tue, Mar 15, 2016 at 10:45:32AM +0530, Shaan Repswal wrote:
> The value of the textbox is in String. I just have to call a "get_text()"
> method on a textbox object and I get the string value. I used it just a few
> minutes ago. It's working now. Thanks a lot. I'm not too worried about sql
> injections just yet because the only people about to use this application
> are supposed to have all access anyway.
This is not at all about SQL injections. If I understand
correctly you are attempting to use a user supplied string
for a column name in a table.
In this case you will _have_ to preprocess the user input to
make it even _suitable_ for becoming a column name. At that
point not a single thought has been spent on any security
implications of such an approach yet.
Karsten
--
GPG key ID E4071346 @ eu.pool.sks-keyservers.net
E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
| From | Date | Subject | |
|---|---|---|---|
| Next Message | John Morrison | 2016-03-18 22:00:30 | Psycopg2 GSSAPI |
| Previous Message | Jonathan Rogers | 2016-03-15 08:05:10 | Re: Encountered an error |