Another Little MySQL Problem
Alister
alister.ware at ntlworld.com
Thu May 27 00:10:40 EDT 2010
On Wed, 26 May 2010 15:30:16 -0700, John Nagle wrote:
> Alister wrote:
>> I think you should probably also write your execute differently:
>>
>>>>> clientCursor.execute('select ID from %s' , (personalDataTable,))
>>
>> this ensures the parameters are correctly escaped to prevent mysql
>> injection attacks,the "," after personalDataTable is necessary to
>> ensure the parameter is passed as a tuple
>
> Actually, no. The names of tables are not quoted in SQL.
> One writes
>
> SELECT ID FROM mytable;
>
> not
>
> SELECT ID FROM "mytable";
>
> so you don't want to run table names through the quoting and escaping
> function. If the table name is a variable, you need to be very careful
> about where it comes from.
>
> On the other hand, if you're specifying a data value, a field that's
> normally quoted, as in
>
> SELECT ID from mytable WHERE mykey="foo";
>
> you write
>
> cursor.execute("SELECT ID FROM mytable WHERE mykey=%s",
(mykeyval,))
>
> to get proper escaping. Don't put quote marks around the %s; MySQLdb
> does that.
>
> Also, if you're selecting every entry in a database, without a
> WHERE or ORDER BY clause, you will get the entries in more or less
> random order.
>
> John Nagle
Thanks i hadn't read the search string fully.
in this case if personalDataTable is generated by user input it should be
carefully checked as it will still be a possible source of attack.
The golden rule with user input is trust nothing.
--
QOTD:
"I won't say he's untruthful, but his wife has to call the
dog for dinner."
More information about the Python-list
mailing list