<div class="gmail_quote">On Sat, Jan 9, 2010 at 8:39 AM, Tim Chase <span dir="ltr"><<a href="mailto:python.list@tim.thechases.com">python.list@tim.thechases.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">Victor Subervi wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi;<br>
The following code works fine. I would like you to suggest something more<br>
simple and elegant:<br>
<br>
sql = 'select p.ID from %sPackages p join %sCategoriesPackages c where<br>
c.CategoryID=%s;' % (store, store, categoryID)<br>
cursor.execute(sql)<br>
tmp = [itm[0] for itm in cursor]<br>
packageIDs = []<br>
for t in tmp:<br>
if t not in packageIDs:<br>
packageIDs.append(t)<br>
</blockquote>
<br></div>
You mean like<br>
<br>
sql = "select distinct p.ID from ..." % (...)<br></blockquote><div><br>Oh, that's good!<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
# ^^^^^^^^<br>
cursor.execute(sql)<br>
package_ids = [row[0] for row in cursor.fetchall()]<br>
<br>
It would also help if you didn't pass the categoryID as a string-formatted value, but as a proper parameter, something like<br>
<br>
sql = "... where c.categoryid=?" % (store, store)<br>
cursor.execute(sql, (category_id,))<br></blockquote><div><br>I now have the following:<br><br> sql = 'select distinct p.ID from %sPackages p join %sCategoriesPackages c where c.CategoryID=?;' % (store, store)<br>
cursor.execute(sql, (categoryID,))<br> packageIDs = [itm[0] for itm in cursor]<br><br>It threw this error:<br><br> /var/www/html/<a href="http://angrynates.com/christians/cart/display.py">angrynates.com/christians/cart/display.py</a><br>
141 print '</td></tr></table>\n'<br> 142 cursor.close()<br> 143 bottom()<br> 144 <br> 145 display()<br>display = <function display><br> /var/www/html/<a href="http://angrynates.com/christians/cart/display.py">angrynates.com/christians/cart/display.py</a> in display()<br>
109 categoryID = cursor.fetchone()[0]<br> 110 sql = 'select distinct p.ID from %sPackages p join %sCategoriesPackages c where c.CategoryID=?;' % (store, store)<br> 111 cursor.execute(sql, (categoryID,))<br>
112 packageIDs = [itm[0] for itm in cursor]<br> 113 for pid in packageIDs:<br>global cursor = <MySQLdb.cursors.Cursor object>, cursor.execute = <bound method Cursor.execute of <MySQLdb.cursors.Cursor object>>, sql = 'select distinct p.ID from productsPackages p join productsCategoriesPackages c where c.CategoryID=?;', categoryID = 1L<br>
/usr/lib64/python2.4/site-packages/MySQLdb/cursors.py in execute(self=<MySQLdb.cursors.Cursor object>, query='select distinct p.ID from productsPackages p join productsCategoriesPackages c where c.CategoryID=?;', args=(1L,))<br>
146 query = query.encode(charset)<br> 147 if args is not None:<br> 148 query = query % db.literal(args)<br> 149 try:<br> 150 r = self._query(query)<br>query = 'select distinct p.ID from productsPackages p join productsCategoriesPackages c where c.CategoryID=?;', db = <weakproxy at 0x2b79db9dc470 to Connection>, db.literal = <bound method Connection.literal of <_mysql.connection open to 'localhost' at 142be8b0>>, args = (1L,)<br>
<br>TypeError: not all arguments converted during string formatting<br> args = ('not all arguments converted during string formatting',) <br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
This helps prevent SQL-injection attacks (assuming you have full control over the value of "store"...otherwise, as you've been advised, if the remote user has control over the value in "store", you're asking to be exploited). </blockquote>
<div><br>They have control over it. I pass it in the url. Please advise.<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">You'd have to check the place-holder character for your particular back-end:<br>
<br>
>>> import <your database engine> as db<br>
>>> print db.paramstyle<br>
<br></blockquote><div>Printed "format". What's that mean? I use MySQLdb <br></div>TIA,<br>beno<br>
</div>