-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ian Bicking <[EMAIL PROTECTED]> writes:
> More than smells, it is also insecure. When using the raw DB API, you
> should do:
>
> cursor.execute("... WHERE userName = %s", (userName,))
>
> Note the lack of '. The database driver will do the proper quoting
> for you, and protect against SQL injection. Lots of people aren't
> aware of this functionality, so I thought it should be noted for the
> benefit of anyone listening who is accessing databases this way.
Looking through some old code, I found quite a few places where I was
not using this functionality. Correcting that I ran into trouble since
I previously had placeholders in the string that were different based
on what type of data was added (string, integer, float, etc..), but
after I read the doc string:
def execute(self, query, args=None):
"""Execute a query.
query -- string, query to execute on server
args -- optional sequence or mapping, parameters to use with query.
Note: If args is a sequence, then %s must be used as the
parameter placeholder in the query. If a mapping is used,
%(key)s must be used as the placeholder.
Returns long integer rows affected, if any
"""
..I understood what was wrong.
Though I should add this to the thread, so other people banging their
heads against the same problem can get a less severe wound in their
forehead :-).
A small example to further clearify what I learned:
Before:
intvar = 3
stringvar = "foo"
cursor.execute("select name from members where login = '%s' and status =
%d" % (stringvar, intvar))
Now:
intvar = 3
stringvar = "foo"
cursor.execute("select name from members where login = %s and status =
%s", (stringvar, intvar,))
\EF
- --
Erik Forsberg http://www.lysator.liu.se/~forsberg/
GPG/PGP Key: 1024D/0BAC89D9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
iD8DBQFB1xXrrJurFAusidkRAiz8AJ0VM+7B1jdqXQQAKpJAzJWGllNR2wCgs1GC
3RPzRxofPSjchPzXUSHy2IA=
=EKn2
-----END PGP SIGNATURE-----
-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Webware-discuss mailing list
Webware-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/webware-discuss
