[Tutor] Didn't take long to hit my next wall!
Brian Gustin
brian at daviesinc.com
Sun Apr 16 16:07:54 CEST 2006
python in this form uses BIND variables..
>>query = '''UPDATE cost_grid
>> SET cost_1 = %s <--- %s = the bind variable
placeholder/formatter
>> WHERE cost_grid_id = %s
>> AND finish_dro = %s'''' % ( a,c,b) <--- the raw tuple
That is, what is provided to python in the tuple following , is
formatted as specified by the %s , and as such, is a formatted string
(special characters are properly esscaped), and as far as sql query is
concerned, it is escaped safely..
I tested this before, when I first started working with python - Not a
problem at all. In fact, I also wrote a custom database class in PHP
that mimics this exact same functionality.. and in all my testing, not a
single SQL injection has succeeded :)
Basically whatever the value may be is formatted to a string, and
escaped if necessary for special chars.
Kent Johnson wrote:
> Alan Gauld wrote:
>
>>Hi John,
>>
>>I've no idea why its not working but this illustrates why I prefer to create
>>the sql string outside the execute - its a lot easier to debug when you can
>>print the string exactly as passed to execute. I know many others like to
>>leave execute to do the escaping stuff but I prefer to see what I'm doing
>>and put in a little extra effort.
>>
>>So I would write it as:
>>
>>query = '''UPDATE cost_grid
>> SET cost_1 = %s
>> WHERE cost_grid_id = %s
>> AND finish_dro = %s'''' % ( a,c,b)
>>c.execute(query)
>
>
> Yikes! Alan! Certainly you know what an SQL injection attack is? And
> what if the data contains special characters?
>
> For those who don't know, imagine what happens in the above if
> b = '91.4; drop table cost_grid;'
>
> or even
> b = 'a;b;"c"update'
>
> Kent
>
> _______________________________________________
> Tutor maillist - Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor
>
> !DSPAM:44422c98294101990911452!
>
>
More information about the Tutor
mailing list