[DB-SIG] Mysqldb python variable in request

Denis S. Otkidach ods at strana.ru
Fri Jan 23 09:55:10 EST 2004

On Thu, 22 Jan 2004, Vernon Cole wrote:

VC> Note that all substitution is done in python, so I can check
VC> the syntax
VC> using a python print statement. Also note that there are
VC> single quotes
VC> around the %s constructs. These single quotes are passed to
VC> the SQL server,
VC> which needs to see a string literal at that point. Python is
VC> filling in the
VC> value for the literal. In your case, try something like:
VC> cursor.execute(""" select %s from Xml2Mysql where %s='%s'
VC> """ % (target,
VC> constraint, constraint_value))

It's a bad advice, that in some cases can lead to security holes
in the program.  What if some string is from untrusted source and
contains a "'" character?  Let me provide an example.  If your
program provides some service for many users and allows the user
to remove his own data with the following SQL statement:
"""delete from important_data where user='%s'""" % user
then I can try user name "my name' OR '1" and condition in your
statement will be always true!

Denis S. Otkidach
http://www.python.ru/      [ru]

More information about the DB-SIG mailing list