Escaping confusion with Python 3 + MySQL

Steve D'Aprano steve+python at
Sun Mar 26 11:03:04 EDT 2017

On Mon, 27 Mar 2017 12:52 am, Νίκος Βέργος wrote:

> cur.execute('''UPDATE visitors SET (pagesID, host, ref, location, useros,
> browser, visits) VALUES ({}, {}, {}, {}, {}, {}, {}) WHERE host LIKE
> "{}"'''.format(pID, domain, ref, location, useros, browser, lastvisit,
> domain) )
> Same kind of output in the error-log even with this attempt.

Don't do that! Even if you fix the SQL errors, this is vulnerable to code
injection attacks. If the caller can fool you into using a specially-made
string for any of those parameters (pID, domain, ref, ...) they can execute
any SQL code they like, without your knowledge.

See also:

“Cheer up,” they said, “things could be worse.” So I cheered up, and sure
enough, things got worse.

More information about the Python-list mailing list