Is This Open To SQL Injection?

Stephen Hansen me+list/python at ixokai.io
Thu Jul 8 11:15:53 EDT 2010 

On 7/8/10 6:20 AM, Victor Subervi wrote:
> However, I now have another error. Here is my current command:
> 
>     cursor.execute("insert into personalDataKeys (Store, User,
> useFirstName, useLastName, usePhone, useCell, useFax, useAddress,
> useShippingAddress, useDOB, useEmail, usePW) values (%s, %s, %s, %s, %s,
> %s, %s, %s, %s, %s, %s, %s)", ([store, user] + col_vals))

Quick point: why the parens around [store, user] + col_vars? They're
redundant.

> 
> I get this error from MySQL which I am having a hard time understanding:
> 
> LATEST FOREIGN KEY ERROR
> ------------------------
> 100708  6:15:01 Transaction:
> TRANSACTION 0 9382, ACTIVE 0 sec, process no 5326, OS thread id
> 1169992000 inserting, thread declared inside InnoDB 500
> mysql tables in use 1, locked 1
> 3 lock struct(s), heap size 368, undo log entries 1
> MySQL thread id 1502, query id 23700 localhost beno update
> insert into personalDataKeys (Store, User, useFirstName, useLastName,
> usePhone, useCell, useFax, useAddress, useShippingAddress, useDOB,
> useEmail, usePW) values ('specialty', 'patients', 1, 1, 1, 1, 1, 1, 0,
> 1, 1, 1)
> Foreign key constraint fails for table `test/personalDataKeys`:
> ,
>   CONSTRAINT `personalDataKeys_ibfk_1` FOREIGN KEY (`Store`) REFERENCES
> `products` (`Store`)

A foreign key is a constraint, a restriction, which says that rows in
TableA ("personalDataKeys") depend on certain *matching* rows to already
exist and always be valid in TableB ("products"); the exact match is a
column they have in common ("Store").

The purpose of foreign keys is to keep data consistent. Here, it appears
as if you have established a key such that the 'store' column in your
personalDataKeys table must point to a certain row in the products table
which has a 'store' column of the exact same value.

This error message is indicating that when you do this INSERT, there is
no corresponding row in the products table.

-- 

   Stephen Hansen
   ... Also: Ixokai
   ... Mail: me+list/python (AT) ixokai (DOT) io
   ... Blog: http://meh.ixokai.io/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/python-list/attachments/20100708/f11bf20b/attachment-0001.sig>

More information about the Python-list mailing list