Escaping confusion with Python 3 + MySQL

Steve D'Aprano steve+python at pearwood.info
Sun Mar 26 11:03:04 EDT 2017


On Mon, 27 Mar 2017 12:52 am, Νίκος Βέργος wrote:

> cur.execute('''UPDATE visitors SET (pagesID, host, ref, location, useros,
> browser, visits) VALUES ({}, {}, {}, {}, {}, {}, {}) WHERE host LIKE
> "{}"'''.format(pID, domain, ref, location, useros, browser, lastvisit,
> domain) )
> 
> Same kind of output in the error-log even with this attempt.


Don't do that! Even if you fix the SQL errors, this is vulnerable to code
injection attacks. If the caller can fool you into using a specially-made
string for any of those parameters (pID, domain, ref, ...) they can execute
any SQL code they like, without your knowledge.

https://xkcd.com/327/

http://www.explainxkcd.com/wiki/index.php/Little_Bobby_Tables


See also:

http://bobby-tables.com/



-- 
Steve
“Cheer up,” they said, “things could be worse.” So I cheered up, and sure
enough, things got worse.



More information about the Python-list mailing list