mod_python

[Jim Segrave]

In article <1131249790.713791.186740 at g14g2000cwa.googlegroups.com>,
Little <cookiecandyred at yahoo.com> wrote:
>I have created the following database but the following errors occur
>when trying to execute the code.
>
>html source:
><html>
><body>
>    Click here to display information from Chocolate menu:
><form action ="form.py/display" method="POST">
>    <p>
>    Press to view the display
>    <input type="submit">
>    </p>
></form>
><br>
>    Please provide data for chocolate to be added:
><p>
><form action ="form.py/addchocolate" method="POST">
>    <p>
>    Name:        <input type="text" name="z_Name" maxlength="30"><br>
>    Rating:      <input type="text" name="z_rating" maxlength="3"><br>
>    Price :      <input type="text" name="z_price" maxlength="5"><br>
>    <input type="submit">
>    </p>
></form>
></body>
></html>
>
>form.py source
>
>import MySQLdb
>
>def addchocolate(z_Name, z_rating, z_price):
>
>    # make sure the user provided all the parameters
>    if not (z_Name and z_rating and z_price):
>        return "A required parameter is missing, \
>               please go back and correct the error"
>    db =
>MySQLdb.connect(host="localhost",user="hayward",passwd="hayward",db="hayward")
>    cursor = db.cursor()
>    cursor.execute(
>    """INSERT INTO InventoryList (artist, title, rating) VALUES (%s,
>%s, %s)""", (z_Name, z_rating, z_price) )


I hate to ask, but what happens when I enter "a, b, c);DROP DATABASE;" as
the entry for z_name? (Or some similar attempt to close the
SQL statement and start a new one). I think you want to google for "SQL
injection" and think about sanitising user input a bit.



-- 
Jim Segrave           (jes at jes-2.demon.nl)