i Don't get why it makes trouble
Philip Semanchuk
philip at semanchuk.com
Thu Aug 13 18:14:02 EDT 2009
On Aug 13, 2009, at 6:00 PM, azrael wrote:
> On 13 kol, 22:09, Philip Semanchuk <phi... at semanchuk.com> wrote:
>> On Aug 13, 2009, at 2:56 PM, azrael wrote:
>>
>>>>>> j
>>> [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna']
>>>>>> len(j)
>>> 5
>>>>>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija,
>>>>>> d.id_drzava, v.id_valuta FROM ulica as u, opcina as o, zupanija
>>>>>> as z, drzava as d, valuta as v WHERE u.naziv = '%s' AND o.naziv
>>>>>> = '%s' AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv =
>>>>>> '%s'""" % (j)
>>> Traceback (most recent call last):
>>> File "<string>", line 1, in <string>
>>> TypeError: not enough arguments for format string
>>
>> Hi azrael,
>> You already have an answer to your question so I won't address
>> that. I
>> want to point out that this is a dangerous way to build SQL
>> statements.
>>
>> For instance, what happens if someone enters a city name of L'viv?
>> Your SQL will break due to mismatched single quotes. This kind of
>> code
>> is vulnerable to SQL injection attacks:http://en.wikipedia.org/wiki/SQL_injection
>>
>> Parameterized SQL is safer. Googling for 'parameterized SQL Python'
>> should find some examples for you.
>>
>> Good luck
>> Philip
>
> I know Already. This is sopussed to be a small office application
> connecting on a LAN mysql server with no web connection. Thank you
> anyway
You're welcome. I'm glad you are aware. You're ahead of a lot of
developers out there.
I encourage you to at least think about using parameterized SQL anyway
because you never know when someone (maybe even you!) will copy &
paste your code, or use your library without realizing that it was
"internal use only". It's usually just as easy as building SQL strings
anyway.
And besides, what about L'viv? =)
Good luck with whatever choice you make
Philip
More information about the Python-list
mailing list