[Tutor] Re: Please advice me on my code

Ms Soo Chong s4046441 at student.uq.edu.au
Wed Sep 29 04:51:34 CEST 2004 

Lee Harr, Thank you so much for your help! It is very much appreciated.

I know how it want to show but I don't know how to code. And you helped me greatly by doing this code!!! Thank you.
Though, some of the functions are very new to me but with this I can learned faster by referring to an actual output and
assist with python tutes. Perfect way of learning (at least to a newbie like me). I'm so grateful... 
I will try out the code and hopefully I can managed.

Thanks again.

Oh, one question, I don't really understand that which method of my code will leave wide open to SQL injection attacks?
Can you please explain to me...sorry for that, I'm abit slow.

Thank you.

Shufen



----- Original Message -----
From: Lee Harr <missive at hotmail.com>
Date: Wednesday, September 29, 2004 7:29 am
Subject: [Tutor] Re: Please advice me on my code

> import sys, os
> import cgi
> import cgitb; cgitb.enable()
> 
> import pg
> 
> 
> def form():
>    print """<form method="post" action="">
> 
> <p><input type=radio name="qtype"value="shot_number" checked 
> />Shot 
> Number<br />
> <input type=radio name="qtype" value="project" />Project
> </p>
> 
> <p>Type your keywords search here:<br>
> <textarea name="qtext" value="" rows=2 cols=80 type="text"></textarea>
> </p>
> 
> <input type="submit" value="SEARCH"><br>
> </form>"""
> 
> 
> 
> print "Content-Type: text/html\n\n"
> print '<head><title>The Title</title></head><body>'
> 
> 
> if __name__ == "__main__":
> 
>    data = cgi.FieldStorage()
> 
>    if data:
>        qtype = data['qtype'].value
>        try:
>            qtext = data['qtext'].value
>        except KeyError:
>            qtext = ''
> 
>        if qtext and qtype=="shot_number":
>            print "You typed this:", qtext
> 
>            # Now, we can get to the database...
>            db = pg.connect('test', user='test', passwd='testpasswd')
> 
>            # This next line is not the right way to do this. You want
>            # to use the db connector's quoting system, but I do 
> not see
>            # how to do that with the pg module. This method will 
> leave            # you wide open to SQL injection attacks... be 
> forewarned!            #
>            # I recommend asking on comp.lang.python if you cannot 
> find            # more assistance here on tutor.
>            query = "select * from a where x=%(qtext)s" % 
> {'qtext': qtext}
>            # a is a table with 2 columns (x int, y text)
> 
>            qresult = db.query(query)
> 
>            listOfResults = qresult.dictresult()
> 
>            print "<p>Example of pulling the list of dictionary 
> results 
> apart.</p>"
> 
>            for record in listOfResults:
>                print "<p><table>"
>                for k in record.keys():
>                    print '<tr>'
>                    print '<td>key:</td> <td>', k, '</td>'
>                    print '<td>value:</td><td>', record[k], '</td>'
>                    print '</tr>'
>                print '</table></p>'
> 
>            db.close()
> 
> 
>        elif qtext and qtype == "project":
>            print "You typed this:", qtext
> 
> 
>        elif not qtext:
>            print 'no text entered'
> 
>    else:
>        form()
> 
> print '<body></html>'
> 
> _________________________________________________________________
> The new MSN 8: smart spam protection and 2 months FREE*  
> http://join.msn.com/?page=features/junkmail
> 
> _______________________________________________
> Tutor maillist  -  Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor
>

More information about the Tutor mailing list