i Don't get why it makes trouble
Benjamin Kaplan
benjamin.kaplan at case.edu
Thu Aug 13 17:05:37 EDT 2009
On Thu, Aug 13, 2009 at 4:09 PM, Philip Semanchuk <philip at semanchuk.com>wrote:
>
> On Aug 13, 2009, at 2:56 PM, azrael wrote:
>
> j
>>>>>
>>>> [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna']
>>
>>> len(j)
>>>>>
>>>> 5
>>
>>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija,
>>>>> d.id_drzava, v.id_valuta FROM ulica as u, opcina as o, zupanija as z,
>>>>> drzava as d, valuta as v WHERE u.naziv = '%s' AND o.naziv = '%s' AND
>>>>> z.naziv = '%s' AND d.naziv = '%s' AND v.naziv = '%s'""" % (j)
>>>>>
>>>> Traceback (most recent call last):
>> File "<string>", line 1, in <string>
>> TypeError: not enough arguments for format string
>>
>
> Hi azrael,
> You already have an answer to your question so I won't address that. I want
> to point out that this is a dangerous way to build SQL statements.
>
> For instance, what happens if someone enters a city name of L'viv? Your
> SQL will break due to mismatched single quotes. This kind of code is
> vulnerable to SQL injection attacks:
> http://en.wikipedia.org/wiki/SQL_injection
>
No explanation of SQL injection is complete without a link to the relevant
XKCD.
http://xkcd.com/327/
>
> Parameterized SQL is safer. Googling for 'parameterized SQL Python' should
> find some examples for you.
>
> Good luck
> Philip
> --
> http://mail.python.org/mailman/listinfo/python-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20090813/110f10b3/attachment-0001.html>
More information about the Python-list
mailing list