Why 'files.py' does not print the filenames into a table format?
Nick the Gr33k
support at superhost.gr
Sat Jun 15 21:24:25 EDT 2013
On 16/6/2013 1:51 πμ, Chris Angelico wrote:
> On Sun, Jun 16, 2013 at 6:29 AM, Benjamin Schollnick
> <benjamin at schollnick.net> wrote:
>> cur.execute('''SELECT ID FROM counters WHERE url = %s''', page )
>> cur.execute('''INSERT INTO counters (url) VALUES (%s)''', page )
>>
>> Sure, whoever wrote that code is a fool.
>>
>> http://xkcd.com/327/
>>
>> They didn't sanitize your database inputs.
>
> I assume you're talking about the above two lines of code? They're not
> SQL injection targets. The clue is that the %s isn't in quotes. This
> is an out-of-band argument passing method (actually, since he's using
> MySQL (IIRC), it's probably just going to escape it and pass it on
> through, but it comes to the same thing), so it's safe.
>
> ChrisA
>
Here is how i think i have dealt with it:
=================
path = '/home/nikos/public_html/'
cgi_path = '/home/nikos/public_html/cgi-bin/'
file = form.getvalue('file') # this comes from .htaccess
page = form.getvalue('page') # this comes form index.html or metrites.py
if not page and os.path.exists( file ):
# it is an html template
page = file.replace( path, '' )
.....
.....
#find the needed counter for the page URL
if os.path.exists( path + page ) or os.path.exists( cgi_path + page ):
cur.execute('''SELECT ID FROM counters WHERE url = %s''', page )
data = cur.fetchone() #URL is unique
==================
Do you think i'am sfae now from those kind of attacks?
Do you see some other way, better, to write the above?
--
What is now proved was at first only imagined!
More information about the Python-list
mailing list