Sqlite format string

ivanko.rus at gmail.com ivanko.rus at gmail.com
Sun Aug 30 00:40:46 CEST 2009


29.08.2009 17:26 пользователь Tim Chase <python.list at tim.thechases.com>  
написал:
> ivanko.rus at gmail.com wrote:


> 29.08.2009 15:40 пользователь "Sergio Charpinel Jr."  
> sergiocharpinel at gmail.com> написал:


> Thanks.

> Do you know if both of them works for mysql too?





> 2009/8/29 ivanko.rus at gmail.com>





> 29.08.2009 15:27 пользователь "Sergio Charpinel Jr."  
> sergiocharpinel at gmail.com> написал:




> Actually, this works for any string (it doesn't depend on anything else).  
> So you can pass "somestring {0}".format(foo) to any function because the  
> string will be formatted _first_ and then passed as an argument. The same  
> goes with "somestring %s" % "foo". Both will work




> Bad idea when assembling SQL, unless you _like_ SQL-injection attacks:



> sql = "select * from users where name='%s' and password='%s'"



> # get some values from an untrusted user:

> name = "administrator"

> password = "' or 1=1; drop table users; --"



> cursor.execute(sql % (name, password))

> # uh-oh!



> This is why it's so important to use the DB API's own escaping functions.



> -tkc
Sergio, Tim Chase is absolutely right! What you can do here is check every  
field separately OR you can modify the format() method to automatically do  
that. In the second case, you need to create your method first and then  
assign it to the str.format method like that: str.format =  
your_format_method . Note that there are NO parenthesis. For more details,  
look at this recipe: http://code.activestate.com/recipes/92823/ . I think  
it will simplify the things for you later, as every time you will call the  
str.format method, the values will be checked automatically.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20090829/31c08733/attachment.html>


More information about the Python-list mailing list