29 Apr
2024
29 Apr
'24
3:52 p.m.
On Mon, 29 Apr 2024 15:39:06 +1200, Peter Reutemann quoted:
'SQL syntax uses apostrophes to indicate the beginning and end of a data string. By entering strings with specially positioned apostrophes into vulnerable website fields, attackers can execute code that performs various sensitive actions, including returning confidential data, giving administrative system privileges, or subverting how the web app works.'
I don’t know why it’s considered so hard to do proper SQL quoting. Here’s how to turn a Python string into an SQL string literal: q = "'" + s.replace("'", "''") + "'"