Newbie: Database technique
Gerhard Häring
gerhard.haering at gmx.de
Tue Dec 31 13:02:05 EST 2002
Mel Wilson wrote:
> [...]
> def quote (s):
> return '"' + s + '"'
> [...]
> mc.execute ('INSERT INTO my_users (%s) values (%s,%s)'
> % (','.join (org_fields)
> , ','.join ([quote(x) for x in rec[1:9]])
> , quote(role_id) ))
> print "%5d %-20s %-20s transferred" % (i, rec[1], rec[3])
> id = mc.insert_id()
>
> You could get rid of the quote function [...]
Yes, it's a good idea of getting rid of the quote function. And of the
idea of constructing SQL manually, too while we're at it. *sigh*
Consider this:
#v+
# Username and password entered from a dialog box
sql = "SELECT COUNT(*) FROM USERTABLE WHERE UT_NAME=%s AND UT_PASSWORD=%s" \
% (quote(username), quote(password))
cursor.execute(sql)
row = cursor.fetchone()
login_ok = row[0] != 0
#v-
Hah! Now somebody evil (like me ;-) wants to break in and enters the
following as a password:
' OR 1=1; --
Voilà. And I didn't delete your whole database yet, which would not
have been a problem at all (just throw in a few DELETEs).
The lesson is that you should use the DB-API rather than working
around it - use bound parameters:
#v+
cursor.execute(
"SELECT COUNT(*) FROM USERTABLE WHERE UT_NAME=%s AND UT_PASSWORD=%s",
username, password)
# ...
#v-
There are some cases, say for overly complex APIs like ADO.NET where
you don't want to manually bind 10 parameters and where you need the
*exact* *database* type of the field to do so :-((
For this or other reasons you sometimes want to use your own quote
function. It should be safe if you also escape the apostrophes, then:
#v+
import re
def quote(s):
return "'%s'" % re.sub("'", "''", s)
#v-
Of course you'll still have to verify all user input, for example
numeric ones which don't run thru quote.
Gerhard
--
Favourite database: http://www.postgresql.org/
Favourite programming language: http://www.python.org/
Combine the two: http://pypgsql.sf.net/
Embedded database for Python: http://pysqlite.sf.net/
More information about the Python-list
mailing list