i Don't get why it makes trouble

azrael jura.grozni at gmail.com
Fri Aug 14 03:51:10 CEST 2009


On 14 kol, 00:14, Philip Semanchuk <phi... at semanchuk.com> wrote:
> On Aug 13, 2009, at 6:00 PM, azrael wrote:
>
>
>
>
>
> > On 13 kol, 22:09, Philip Semanchuk <phi... at semanchuk.com> wrote:
> >> On Aug 13, 2009, at 2:56 PM, azrael wrote:
>
> >>>>>> j
> >>> [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna']
> >>>>>> len(j)
> >>> 5
> >>>>>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija,
> >>>>>> d.id_drzava, v.id_valuta FROM   ulica as u, opcina as o, zupanija
> >>>>>> as z, drzava as d, valuta as v  WHERE  u.naziv = '%s' AND o.naziv
> >>>>>> = '%s' AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv =
> >>>>>> '%s'""" % (j)
> >>> Traceback (most recent call last):
> >>>  File "<string>", line 1, in <string>
> >>> TypeError: not enough arguments for format string
>
> >> Hi azrael,
> >> You already have an answer to your question so I won't address  
> >> that. I
> >> want to point out that this is a dangerous way to build SQL  
> >> statements.
>
> >> For instance, what happens if someone enters a city name of L'viv?
> >> Your SQL will break due to mismatched single quotes. This kind of  
> >> code
> >> is vulnerable to SQL injection attacks:http://en.wikipedia.org/wiki/SQL_injection
>
> >> Parameterized SQL is safer. Googling for 'parameterized SQL Python'
> >> should find some examples for you.
>
> >> Good luck
> >> Philip
>
> > I know Already. This is sopussed to be a small office application
> > connecting on a LAN mysql server with no web connection. Thank you
> > anyway
>
> You're welcome. I'm glad you are aware. You're ahead of a lot of  
> developers out there.
>
> I encourage you to at least think about using parameterized SQL anyway  
> because you never know when someone (maybe even you!) will copy &  
> paste your code, or use your library without realizing that it was  
> "internal use only". It's usually just as easy as building SQL strings  
> anyway.
>
> And besides, what about L'viv? =)
>
> Good luck with whatever choice you make
> Philip

Currently I am working on just a prototype to show what is possible to
be done to get me some fundings for my future work. after that I will
get over to an SQL Alchemy. It's ORM will take over this business for
me.

A lot of people a not aware of SQL injection. My friend from college
asked me and a couple of other guys for Pen testing of an website. His
SQL injection mistake made him an epic fail.

Thanks



More information about the Python-list mailing list