[DB-SIG] Mysqldb python variable in request
Denis S. Otkidach
ods at strana.ru
Fri Jan 23 09:55:10 EST 2004
On Thu, 22 Jan 2004, Vernon Cole wrote:
VC> Note that all substitution is done in python, so I can check
VC> the syntax
VC> using a python print statement. Also note that there are
VC> single quotes
VC> around the %s constructs. These single quotes are passed to
VC> the SQL server,
VC> which needs to see a string literal at that point. Python is
VC> filling in the
VC> value for the literal. In your case, try something like:
VC>
VC> cursor.execute(""" select %s from Xml2Mysql where %s='%s'
VC> """ % (target,
VC> constraint, constraint_value))
It's a bad advice, that in some cases can lead to security holes
in the program. What if some string is from untrusted source and
contains a "'" character? Let me provide an example. If your
program provides some service for many users and allows the user
to remove his own data with the following SQL statement:
"""delete from important_data where user='%s'""" % user
then I can try user name "my name' OR '1" and condition in your
statement will be always true!
--
Denis S. Otkidach
http://www.python.ru/ [ru]
More information about the DB-SIG
mailing list