Why 'files.py' does not print the filenames into a table format?
Nick the Gr33k
support at superhost.gr
Sat Jun 15 21:07:01 EDT 2013
On 16/6/2013 1:51 πμ, Chris Angelico wrote:
> On Sun, Jun 16, 2013 at 6:29 AM, Benjamin Schollnick
> <benjamin at schollnick.net> wrote:
>> cur.execute('''SELECT ID FROM counters WHERE url = %s''', page )
>> cur.execute('''INSERT INTO counters (url) VALUES (%s)''', page )
>>
>> Sure, whoever wrote that code is a fool.
>>
>> http://xkcd.com/327/
>>
>> They didn't sanitize your database inputs.
>
> I assume you're talking about the above two lines of code? They're not
> SQL injection targets.
Then how those page entries found in the database Chris?
> The clue is that the %s isn't in quotes.
What happens if i write it like this?
cur.execute('''SELECT ID FROM counters WHERE url = "%s"''', page )
How quoting of %s helps here?
> This is an out-of-band argument passing method (actually, since he's using
> MySQL (IIRC), it's probably just going to escape it and pass it on
> through, but it comes to the same thing), so it's safe.
Yes iam using a comma and not a substitute operator, so input is mysql
validates.
Please explain what is an "out-of-band argument passing method"
What your idea of those entries made it to the counters database table?
--
What is now proved was at first only imagined!
More information about the Python-list
mailing list