Is This Open To SQL Injection?

Victor Subervi victorsubervi at gmail.com
Thu Jul 8 09:20:00 EDT 2010 

On Wed, Jul 7, 2010 at 2:22 PM, Stephen Hansen <me+list/python at ixokai.io>wrote:

> First, its always best to be explicit with insert statements. Meaning,
> don't rely on the underlining structure of a table, as in:
>
> INSERT INTO YourRandomTable VALUES ("my", "value", "here");
>
> Instead, do:
>
> INSERT INTO YourRandomTable (field1, field2, field3) VALUES ("my",
> "value", "here");
>
> By following this advice, I realized I didn't need to do that fancy
multiplying out the '%s' which was screwing me up anyway, and then I didn't
need to create an sql using a '%', and then I didn't need to open the door
to injection attack!

However, I now have another error. Here is my current command:

    cursor.execute("insert into personalDataKeys (Store, User, useFirstName,
useLastName, usePhone, useCell, useFax, useAddress, useShippingAddress,
useDOB, useEmail, usePW) values (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s,
%s)", ([store, user] + col_vals))

I get this error from MySQL which I am having a hard time understanding:

LATEST FOREIGN KEY ERROR
------------------------
100708  6:15:01 Transaction:
TRANSACTION 0 9382, ACTIVE 0 sec, process no 5326, OS thread id 1169992000
inserting, thread declared inside InnoDB 500
mysql tables in use 1, locked 1
3 lock struct(s), heap size 368, undo log entries 1
MySQL thread id 1502, query id 23700 localhost beno update
insert into personalDataKeys (Store, User, useFirstName, useLastName,
usePhone, useCell, useFax, useAddress, useShippingAddress, useDOB, useEmail,
usePW) values ('specialty', 'patients', 1, 1, 1, 1, 1, 1, 0, 1, 1, 1)
Foreign key constraint fails for table `test/personalDataKeys`:
,
  CONSTRAINT `personalDataKeys_ibfk_1` FOREIGN KEY (`Store`) REFERENCES
`products` (`Store`)
Trying to add in child table, in index `Store` tuple:
DATA TUPLE: 2 fields;
 0: len 9; hex 7370656369616c7479; asc specialty;; 1: len 6; hex
0000000003b7; asc       ;;

But in parent table `test/products`, in index `Store`,
the closest match we can find is record:
PHYSICAL RECORD: n_fields 1; compact format; info bits 0
 0: len 8; hex 696e66696d756d00; asc infimum ;;

What is this tuple?
TIA,
beno
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20100708/4203b691/attachment-0001.html>

More information about the Python-list mailing list