[issue27717] sqlite documentation bug
New submission from Eyal Mor: In the SQlite module documentation there a code section showing how to securely use the sqlite.execute method. The problem with this code section is that just from a glance, without reading the paragraph before, or the comments in the section, users could use the insecure version. It would be better if only a secure example would be in the code section. https://docs.python.org/2/library/sqlite3.html Section: # Never do this -- insecure! symbol = 'RHAT' c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol) # Do this instead t = ('RHAT',) c.execute('SELECT * FROM stocks WHERE symbol=?', t) print c.fetchone() # Larger example that inserts many records at a time purchases = [('2006-03-28', 'BUY', 'IBM', 1000, 45.00), ('2006-04-05', 'BUY', 'MSFT', 1000, 72.00), ('2006-04-06', 'SELL', 'IBM', 500, 53.00), ] c.executemany('INSERT INTO stocks VALUES (?,?,?,?,?)', purchases) ---------- assignee: docs@python components: Documentation files: Screen Shot 2016-08-09 at 3.28.05 PM.png messages: 272238 nosy: Eyal Mor, docs@python priority: normal severity: normal status: open title: sqlite documentation bug type: security versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6 Added file: http://bugs.python.org/file44056/Screen Shot 2016-08-09 at 3.28.05 PM.png _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue27717> _______________________________________
R. David Murray added the comment: I think it is pretty hard to miss "Never do this" when reading the code section. That said, I don't have a strong objection to changing it. I've reduced the versions field to those branches this might get changed in, as is our standard practice with the versions field. Nor is this a security issue in our usage of that type, so I've changed the type to behavior. ---------- nosy: +r.david.murray type: security -> behavior versions: -Python 3.2, Python 3.3, Python 3.4 _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue27717> _______________________________________
Berker Peksag added the comment:
I think it is pretty hard to miss "Never do this" when reading the code section.
I agree with David. However, I may be biased since I spend a lot of time reading docs.python.org :) Here is a patch that moves the insecure example to a separate code block. ---------- keywords: +patch nosy: +berker.peksag stage: -> patch review Added file: https://bugs.python.org/file44214/issue27717.diff _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue27717> _______________________________________
Berker Peksag <berker.peksag@gmail.com> added the comment: Looking at this again, I think the current version of the documentation should stay as-is. Perhaps my patch can make the insecure example separated from the secure one, but I don't think it's worth to apply it. ---------- resolution: -> rejected stage: patch review -> resolved status: open -> closed _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue27717> _______________________________________
participants (3)
-
Berker Peksag -
Eyal Mor
-
R. David Murray