String substitution VS proper mysql escaping

Νίκος nikos.the.gr33k at gmail.com
Wed Aug 18 05:15:24 CEST 2010


===============================
cursor.execute( ''' SELECT host, hits, date FROM visitors WHERE page =
'%s' ORDER BY date DESC ''' % (page) )
===============================

Someone told me NOT to do string substitution ("%") on SQL statements
and to let MySQLdb do it
for me, with proper escaping like the following

===============================
cursor.execute('''SELECT host, hits, date FROM visitors WHERE page=%s
        ORDER BY date DESC''', (page,))
===============================

The difference is that if some external source can control "page",
and
they put in a value like
        100 ; DELETE FROM visitors; SELECT * FROM visitors
i will be losing my database table data.


a) I wanted to ask what is proper escaping mean and why after variable
page syntax has a comma

and as i have the script now

why don't my code as i have it now for string reproduction

===============================
http://webville.gr/index.html?page="100 ; DELETE FROM visitors; SELECT
* FROM visitors "
===============================

don't reproduce the problem of actual deleting my data. I don't care
losing it!

I just want to see that happening with my own eyes!




More information about the Python-list mailing list