[Tutor] Re: Please advice me on my code
Ms Soo Chong
s4046441 at student.uq.edu.au
Wed Sep 29 04:51:34 CEST 2004
Lee Harr, Thank you so much for your help! It is very much appreciated.
I know how it want to show but I don't know how to code. And you helped me greatly by doing this code!!! Thank you.
Though, some of the functions are very new to me but with this I can learned faster by referring to an actual output and
assist with python tutes. Perfect way of learning (at least to a newbie like me). I'm so grateful...
I will try out the code and hopefully I can managed.
Thanks again.
Oh, one question, I don't really understand that which method of my code will leave wide open to SQL injection attacks?
Can you please explain to me...sorry for that, I'm abit slow.
Thank you.
Shufen
----- Original Message -----
From: Lee Harr <missive at hotmail.com>
Date: Wednesday, September 29, 2004 7:29 am
Subject: [Tutor] Re: Please advice me on my code
> import sys, os
> import cgi
> import cgitb; cgitb.enable()
>
> import pg
>
>
> def form():
> print """<form method="post" action="">
>
> <p><input type=radio name="qtype"value="shot_number" checked
> />Shot
> Number<br />
> <input type=radio name="qtype" value="project" />Project
> </p>
>
> <p>Type your keywords search here:<br>
> <textarea name="qtext" value="" rows=2 cols=80 type="text"></textarea>
> </p>
>
> <input type="submit" value="SEARCH"><br>
> </form>"""
>
>
>
> print "Content-Type: text/html\n\n"
> print '<head><title>The Title</title></head><body>'
>
>
> if __name__ == "__main__":
>
> data = cgi.FieldStorage()
>
> if data:
> qtype = data['qtype'].value
> try:
> qtext = data['qtext'].value
> except KeyError:
> qtext = ''
>
> if qtext and qtype=="shot_number":
> print "You typed this:", qtext
>
> # Now, we can get to the database...
> db = pg.connect('test', user='test', passwd='testpasswd')
>
> # This next line is not the right way to do this. You want
> # to use the db connector's quoting system, but I do
> not see
> # how to do that with the pg module. This method will
> leave # you wide open to SQL injection attacks... be
> forewarned! #
> # I recommend asking on comp.lang.python if you cannot
> find # more assistance here on tutor.
> query = "select * from a where x=%(qtext)s" %
> {'qtext': qtext}
> # a is a table with 2 columns (x int, y text)
>
> qresult = db.query(query)
>
> listOfResults = qresult.dictresult()
>
> print "<p>Example of pulling the list of dictionary
> results
> apart.</p>"
>
> for record in listOfResults:
> print "<p><table>"
> for k in record.keys():
> print '<tr>'
> print '<td>key:</td> <td>', k, '</td>'
> print '<td>value:</td><td>', record[k], '</td>'
> print '</tr>'
> print '</table></p>'
>
> db.close()
>
>
> elif qtext and qtype == "project":
> print "You typed this:", qtext
>
>
> elif not qtext:
> print 'no text entered'
>
> else:
> form()
>
> print '<body></html>'
>
> _________________________________________________________________
> The new MSN 8: smart spam protection and 2 months FREE*
> http://join.msn.com/?page=features/junkmail
>
> _______________________________________________
> Tutor maillist - Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor
>
More information about the Tutor
mailing list