On Wed, Jul 7, 2010 at 2:22 PM, Stephen Hansen me+list/pyt...@ixokai.iowrote:
First, its always best to be explicit with insert statements. Meaning,
don't rely on the underlining structure of a table, as in:
INSERT INTO YourRandomTable VALUES (my, value, here);
Instead, do:
INSERT INTO
Ian hobso...@gmaiil.com wrote:
On 07/07/2010 19:38, Victor Subervi wrote:
Hi;
I have this code:
sql = 'insert into personalDataKeys values (%s, %s, %s)' %
(store,
user, ', %s'.join('%s' * len(col_vals))
cursor.execute(sql, col_vals)
Is this open to injection attacks? If so,
On 7/8/10 6:20 AM, Victor Subervi wrote:
However, I now have another error. Here is my current command:
cursor.execute(insert into personalDataKeys (Store, User,
useFirstName, useLastName, usePhone, useCell, useFax, useAddress,
useShippingAddress, useDOB, useEmail, usePW) values (%s, %s,
On Thu, Jul 8, 2010 at 10:45 AM, Stephen Hansen me+list/pyt...@ixokai.iowrote:
On 7/8/10 6:20 AM, Victor Subervi wrote:
However, I now have another error. Here is my current command:
cursor.execute(insert into personalDataKeys (Store, User,
useFirstName, useLastName, usePhone,
On 7/7/2010 11:52 AM, Stephen Hansen wrote:
On 7/7/10 11:38 AM, Victor Subervi wrote:
Hi;
I have this code:
sql = 'insert into personalDataKeys values (%s, %s, %s)' % (store,
user, ', %s'.join('%s' * len(col_vals))
cursor.execute(sql, col_vals)
Bad approach. Don't put actual data
On 7/8/10 9:03 AM, Victor Subervi wrote:
mysql describe products Store;
+---+-+--+-+-+---+
| Field | Type| Null | Key | Default | Extra |
+---+-+--+-+-+---+
| Store | varchar(40) | NO | MUL | NULL| |
On 7/7/10 11:52 AM, Stephen Hansen wrote:
On 7/7/10 11:38 AM, Victor Subervi wrote:
Hi;
I have this code:
sql = 'insert into personalDataKeys values (%s, %s, %s)' % (store,
user, ', %s'.join('%s' * len(col_vals))
cursor.execute(sql, col_vals)
First, its always best to be explicit
I've come to the realization that I don't need FKs at all here. Essentially,
what I need to do is consult personalDataKeys simply to determine what data
should be loaded into and retrieved from personalData. I was mistaken
because the data are not interdependent, it only appeared that way
Hi;
I have this code:
sql = 'insert into personalDataKeys values (%s, %s, %s)' % (store, user,
', %s'.join('%s' * len(col_vals))
cursor.execute(sql, col_vals)
Is this open to injection attacks? If so, how correct?
TIA,
beno
--
http://mail.python.org/mailman/listinfo/python-list
On 7/7/10 11:38 AM, Victor Subervi wrote:
Hi;
I have this code:
sql = 'insert into personalDataKeys values (%s, %s, %s)' % (store,
user, ', %s'.join('%s' * len(col_vals))
cursor.execute(sql, col_vals)
First, its always best to be explicit with insert statements. Meaning,
don't rely
Stephen Hansen wrote:
On 7/7/10 11:38 AM, Victor Subervi wrote:
Hi;
I have this code:
sql = 'insert into personalDataKeys values (%s, %s, %s)' % (store,
user, ', %s'.join('%s' * len(col_vals))
cursor.execute(sql, col_vals)
First, its always best to be explicit with insert statements.
On 07/07/2010 19:38, Victor Subervi wrote:
Hi;
I have this code:
sql = 'insert into personalDataKeys values (%s, %s, %s)' % (store,
user, ', %s'.join('%s' * len(col_vals))
cursor.execute(sql, col_vals)
Is this open to injection attacks? If so, how correct?
TIA,
beno
Yes, it is
Yes, you SQL would be trivial to manipulate via SQL injection.
Not only do you need to validate each piece of data submitted by a user, you
need to escape all the wildcard characters that your database uses. If the text
string supplied by a user has quotes or parens or wildcard characters, the
Stephen Hansen me+list/pyt...@ixokai.io wrote:
You're doing string formatting
to construct your SQL, which is where the trouble comes from.
You're wasting your breath, this topic has been discussed ad nauseum
with Victor for well over a year now. He appears to be teaching
himself relational db
14 matches
Mail list logo