Struggling to convert a mysql datetime object to a python string of a different format

Νίκος nikos.the.gr33k at gmail.com
Sat Aug 7 09:09:59 CEST 2010


On 6 Αύγ, 08:13, John Nagle <na... at animats.com> wrote:
> On 8/4/2010 4:40 PM, Íßêïò wrote:
>
> >            cursor.execute( ''' SELECT host, hits, date FROM visitors WHERE page
> > = '%s' ORDER BY date DESC ''' % (page) )
>
> Don't do string substitution ("%") on SQL statements.  Let MySQLdb do it
> for you, with proper escaping:
>
>     cursor.execute('''SELECT host, hits, date FROM visitors WHERE page=%s
>         ORDER BY date DESC''', (page,))

Thanks i didn't know.
But you also do use '%s' here as well. Just without the quotes? Why?
How is this valid?
And also what's the comma after the (page,) ? What does the comam do?

>
> The difference is that if some external source can control "page", and
> they put in a value like
>
>         100 ; DELETE FROM visitors; SELECT * FROM visitors
>
> you just lost your data.

Thanks iam trying to test this because its very interesting and when i
try:

http://webville.gr/index.html?show=log&page="index.html ; DELETE FROM
visitors; SELECT * FROM visitors"

cgitb gives me an error

  53         except MySQLdb.Error:
   54                 print ( "Error %d: %s" % (e.args[0],
e.args[1]) )
   55         else:
   56                 #display dataset
e undefined
NameError: name 'e' is not defined
      args = ("name 'e' is not defined",)

How can i try it successfully?
Have to ssay here that i use mod_rewrite in my remote web server and
every incoming html request gets treated by counter.py with this rule

RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^/?(.+\.html) /cgi-bin/counter.py?page=$1 [L,PT,QSA]

Also for the program exectuion to reach the:

cursor.execute( ''' SELECT host, hits, date FROM visitors WHERE page =
'%s' ORDER BY date DESC ''' % (page) )

statement i expect the user to:

#
=================================================================================================================
# if extra string is attached to the URL is 'log' then show excplicit
page log and exit
#
=================================================================================================================
if form.getvalue('show') == 'log':

Please help me reproduce what you suggest. I beleive its called MySQL
injection and i very like want to see this in action! :-)





More information about the Python-list mailing list