i Don't get why it makes trouble

azrael jura.grozni at gmail.com
Fri Aug 14 00:00:19 CEST 2009


On 13 kol, 22:09, Philip Semanchuk <phi... at semanchuk.com> wrote:
> On Aug 13, 2009, at 2:56 PM, azrael wrote:
>
> >>>> j
> > [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna']
> >>>> len(j)
> > 5
> >>>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija,  
> >>>> d.id_drzava, v.id_valuta FROM   ulica as u, opcina as o, zupanija  
> >>>> as z, drzava as d, valuta as v  WHERE  u.naziv = '%s' AND o.naziv  
> >>>> = '%s' AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv =  
> >>>> '%s'""" % (j)
> > Traceback (most recent call last):
> >  File "<string>", line 1, in <string>
> > TypeError: not enough arguments for format string
>
> Hi azrael,
> You already have an answer to your question so I won't address that. I  
> want to point out that this is a dangerous way to build SQL statements.
>
> For instance, what happens if someone enters a city name of L'viv?  
> Your SQL will break due to mismatched single quotes. This kind of code  
> is vulnerable to SQL injection attacks:http://en.wikipedia.org/wiki/SQL_injection
>
> Parameterized SQL is safer. Googling for 'parameterized SQL Python'  
> should find some examples for you.
>
> Good luck
> Philip

I know Already. This is sopussed to be a small office application
connecting on a LAN mysql server with no web connection. Thank you
anyway



More information about the Python-list mailing list