The SQL statement that you're generating doesn't have quotes around it in the case of a string input, so it expects a table name, column name, SQL keyword, etc. With the number, however, it parses correctly.
To fix this, check out this, and read about the "vars" statement. http://webpy.org/cookbook/select It will correctly put quotes around strings or leave integers as they are. More importantly, using the "vars" keyword prevents against SQL injection attacks -- you're currently vulnerable to them. If someone went to your page: http://localhost:8080/123; drop table page ...it would pop that command right into your database. Using the vars command would have escaped that into the string "123; drop table page" and no damage would have been done. Cheers, Justin On Dec 23, 4:09 am, adelevie <[email protected]> wrote: > Hi, I am building a wiki using web.py as a learning exercise. I want > one of my "view" functions (I've been working on Django a lot ;) ) to > take a page title using GET and first check if a page with that title > exists. If it does exist, I want to display the page. If the page does > not exist, I want to redirect the user to a create page form. > Most of this is fairly trivial, however I have had trouble checking if > the row exists. This is what I have so far: > import web > import sqlite3 > render = web.template.render('templates/') > db = web.database(dbn='sqlite', db='database.sqlite') > urls = ( > '/', 'index', > '/create/([a-zA-Z0-9_]+)', 'create_page', > '/([a-zA-Z0-9_]+)', 'view_page', > '/edit/([a-zA-Z0-9_]+)', 'edit_page' > ) > app = web.application(urls, globals()) > class index: > def GET(self): > return "index" > class create_page: > def GET(self, name): > # insert page into database with title=name and content="", > then > redirecting to edit_page > class view_page: > def GET(self, name): > page = db.select('page', what="page_content, > page_title", where="page_title = %s" % name) > if page: > # send page object to template > else: > return web.seeother('/create/%s') % name > > class edit_page: > def GET(self, name): > # sends page object to template with edit form > > if __name__ == "__main__": app.run() > > If I go tohttp://localhost:8080/123456, everything works fine. > If I go tohttp://localhost:8080/onetwothreeetc, I get an error: "no > such column: onetwothreeetc" > > Any help would be greatly appreciated. > Thanks! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/webpy?hl=en -~----------~----~----~----~------~----~------~--~---
