Why 'files.py' does not print the filenames into a table format?
Nick the Gr33k
support at superhost.gr
Sat Jun 15 21:10:32 EDT 2013
On 16/6/2013 1:51 πμ, Chris Angelico wrote:
> On Sun, Jun 16, 2013 at 6:29 AM, Benjamin Schollnick
> <benjamin at schollnick.net> wrote:
>> cur.execute('''SELECT ID FROM counters WHERE url = %s''', page )
>> cur.execute('''INSERT INTO counters (url) VALUES (%s)''', page )
>>
>> Sure, whoever wrote that code is a fool.
>>
>> http://xkcd.com/327/
>>
>> They didn't sanitize your database inputs.
>
> I assume you're talking about the above two lines of code? They're not
> SQL injection targets. The clue is that the %s isn't in quotes. This
> is an out-of-band argument passing method (actually, since he's using
> MySQL (IIRC), it's probably just going to escape it and pass it on
> through, but it comes to the same thing), so it's safe.
>
> ChrisA
>
Chris or someone else please explain a bit whats happening here because
that list is getting bigger and bigger as we speak.
look: http://superhost.gr/?show=stats
At least i have secured 'pelatologio.py' form prying eyes.
--
What is now proved was at first only imagined!
More information about the Python-list
mailing list