String substitution VS proper mysql escaping

[Daniel Kluev]

2010/8/18 Νίκος <nikos.the.gr33k at gmail.com>

> a) I wanted to ask what is proper escaping mean and
>
>
Proper escaping means that value is wrapped in quotes properly, and quotes
and backslashes (or any other special to RDBMS symbol) are escaped with
backslashes.

why after variable page syntax has a comma
>

Comma just means its tuple.

(page) is equal to page, while (page,) is one-element tuple which contains
page:

>>> ('123')
'123'
>>> ('123',)
('123',)



> why don't my code as i have it now for string reproduction
>
> ===============================
> http://webville.gr/index.html?page="100 ; DELETE FROM visitors; SELECT
> * FROM visitors "
> ===============================
>
> don't reproduce the problem of actual deleting my data. I don't care
> losing it!
>
> I just want to see that happening with my own eyes!
>
>
Your script there just throws an exception for any page data, and most
likely does not run any query at all:

> 28 # open current html template and get the page ID number
> 29 #
> =================================================================================================================
> 30 f = open( '/home/webville/public_html/' + page )
> 31
> 32 # read first line of the file
> f undefined, builtin open = <type 'file'>, page = ['index.html', '100']
> TypeError: cannot concatenate 'str' and 'list' objects
>

Besides, using user-provided data and just concatenating it to filename like
that is definitely bad idea.
You should use os.path.join() at least.

Regarding that kind of SQL injection, typically driver will stop it to
happen when you provide 2 queries at once delimited by ';', so drop table
would not work. However its possible to issue UNION's to retrieve sensitive
data from your database.

-- 
With best regards,
Daniel Kluev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20100818/5bc0ce0e/attachment-0001.html>