|
|
|
|
|
|
by Mawr
428 days ago
|
|
|
But you have to remember to call the right safe() function every time: db.execute(f"QUERY WHERE name = {name}")
db.execute(f"QUERY WHERE name = {safe_html(name)}")
Oops, you're screwed and there is nothing that can detect that. No such issue with a t-string, it cannot be misused. |
|
|