String substitution VS proper mysql escaping
Νίκος
nikos.the.gr33k at gmail.com
Tue Aug 17 23:15:24 EDT 2010
===============================
cursor.execute( ''' SELECT host, hits, date FROM visitors WHERE page =
'%s' ORDER BY date DESC ''' % (page) )
===============================
Someone told me NOT to do string substitution ("%") on SQL statements
and to let MySQLdb do it
for me, with proper escaping like the following
===============================
cursor.execute('''SELECT host, hits, date FROM visitors WHERE page=%s
ORDER BY date DESC''', (page,))
===============================
The difference is that if some external source can control "page",
and
they put in a value like
100 ; DELETE FROM visitors; SELECT * FROM visitors
i will be losing my database table data.
a) I wanted to ask what is proper escaping mean and why after variable
page syntax has a comma
and as i have the script now
why don't my code as i have it now for string reproduction
===============================
http://webville.gr/index.html?page="100 ; DELETE FROM visitors; SELECT
* FROM visitors "
===============================
don't reproduce the problem of actual deleting my data. I don't care
losing it!
I just want to see that happening with my own eyes!
More information about the Python-list
mailing list