String substitution VS proper mysql escaping
nikos.the.gr33k at gmail.com
Wed Aug 18 05:15:24 CEST 2010
cursor.execute( ''' SELECT host, hits, date FROM visitors WHERE page =
'%s' ORDER BY date DESC ''' % (page) )
Someone told me NOT to do string substitution ("%") on SQL statements
and to let MySQLdb do it
for me, with proper escaping like the following
cursor.execute('''SELECT host, hits, date FROM visitors WHERE page=%s
ORDER BY date DESC''', (page,))
The difference is that if some external source can control "page",
they put in a value like
100 ; DELETE FROM visitors; SELECT * FROM visitors
i will be losing my database table data.
a) I wanted to ask what is proper escaping mean and why after variable
page syntax has a comma
and as i have the script now
why don't my code as i have it now for string reproduction
http://webville.gr/index.html?page="100 ; DELETE FROM visitors; SELECT
* FROM visitors "
don't reproduce the problem of actual deleting my data. I don't care
I just want to see that happening with my own eyes!
More information about the Python-list