Problem inserting into Postgres (PgSQL) database
Dave Reed
dreed at capital.edu
Thu Jun 19 11:19:15 EDT 2003
On Thursday 19 June 2003 06:52, Gerhard Häring wrote:
> mupeso at arc.sn wrote:
> > [...]
> > try:~~~
> > ~handle=PgSQL.connect(database=configDB, host=configHost,
user=configUser,
> > password=configPasswd)
> > ~
> > except PgSQL.OperationalError, e:
> > ~print 'Erreur.'
> >
> > sql= "insert into radcheck2
(uid,login,passwd,shell,homedir,domain_name,acc_ex
> > pired) values ("+str(uid)
+",'"+login+"','"+passwd+"','"+shell+"','"+homedir+"
> > ','"+dom_name+"','n')"
> >
> > try:
> > ~xcursor = handle.cursor()~~~
> > ~result= xcursor.execute(sql)~~~~
> > ~handle.commit()
> > xcursor.close()
> > except PgSQL.OperationalError, e:
> > ~print 'ERROR'
>
> First, like Sean said already, without a .commit() you won't see
> anything outside the current transaction, that's connected to the
> database connection you did the insert in.
>
> Second, your style of constructing SQL is a bad one. Use the DB-API
way
> of quoting the various datatypes instead:
>
> #v+
> sql= """INSERT INTO RADCHECK2
> (UID, LOGIN, PASSWD, SHELL, HOMEDIR, DOMAIN_NAME,
ACC_EXPIRED)
> VALUES (%s, %s, %s, %s, %s, %s, %s)""""
>
> cursor.execute(sql, (uid, login, passwd, shell, homedir, dom_name,
'n'))
> #v-
>
> The way you're constructing your SQL statement now is a security
> vulnerability if any of the fields can come from an untrusted source.
Could you please elaborate on how your method is more secure? Isn't it
the same result since the %s are replaced with the values from the
variable.
Dave
More information about the Python-list
mailing list