Why 'files.py' does not print the filenames into a table format?
Chris Angelico
rosuav at gmail.com
Sat Jun 15 18:51:41 EDT 2013
On Sun, Jun 16, 2013 at 6:29 AM, Benjamin Schollnick
<benjamin at schollnick.net> wrote:
> cur.execute('''SELECT ID FROM counters WHERE url = %s''', page )
> cur.execute('''INSERT INTO counters (url) VALUES (%s)''', page )
>
> Sure, whoever wrote that code is a fool.
>
> http://xkcd.com/327/
>
> They didn't sanitize your database inputs.
I assume you're talking about the above two lines of code? They're not
SQL injection targets. The clue is that the %s isn't in quotes. This
is an out-of-band argument passing method (actually, since he's using
MySQL (IIRC), it's probably just going to escape it and pass it on
through, but it comes to the same thing), so it's safe.
ChrisA
More information about the Python-list
mailing list