On Sun, Jun 16, 2013 at 6:29 AM, Benjamin Schollnick
<benja...@schollnick.net> wrote:
> cur.execute('''SELECT ID FROM counters WHERE url = %s''', page )
> cur.execute('''INSERT INTO counters (url) VALUES (%s)''', page )
>
> Sure, whoever wrote that code is a fool.
>
> http://xkcd.com/327/
>
> They didn't sanitize your database inputs.I assume you're talking about the above two lines of code? They're not SQL injection targets. The clue is that the %s isn't in quotes. This is an out-of-band argument passing method (actually, since he's using MySQL (IIRC), it's probably just going to escape it and pass it on through, but it comes to the same thing), so it's safe. ChrisA -- http://mail.python.org/mailman/listinfo/python-list
