Why 'files.py' does not print the filenames into a table format?

[Nick the Gr33k]

On 16/6/2013 1:51 πμ, Chris Angelico wrote:
> On Sun, Jun 16, 2013 at 6:29 AM, Benjamin Schollnick
> <benjamin at schollnick.net> wrote:
>> cur.execute('''SELECT ID FROM counters WHERE url = %s''', page )
>> cur.execute('''INSERT INTO counters (url) VALUES (%s)''', page )
>>
>> Sure, whoever wrote that code is a fool.
>>
>> http://xkcd.com/327/
>>
>> They didn't sanitize your database inputs.
>
> I assume you're talking about the above two lines of code? They're not
> SQL injection targets. The clue is that the %s isn't in quotes. This
> is an out-of-band argument passing method (actually, since he's using
> MySQL (IIRC), it's probably just going to escape it and pass it on
> through, but it comes to the same thing), so it's safe.
>
> ChrisA
>

Here is how i think i have dealt with it:

=================
path = '/home/nikos/public_html/'
cgi_path = '/home/nikos/public_html/cgi-bin/'

file = form.getvalue('file')	# this comes from .htaccess
page = form.getvalue('page')	# this comes form index.html or metrites.py

if not page and os.path.exists( file ):
	# it is an html template
	page = file.replace( path, '' )

.....
.....

#find the needed counter for the page URL
if os.path.exists( path + page ) or os.path.exists( cgi_path + page ):
	cur.execute('''SELECT ID FROM counters WHERE url = %s''', page )
	data = cur.fetchone()		#URL is unique

==================

Do you think i'am sfae now from those kind of attacks?
Do you see some other way, better, to write the above?
-- 
What is now proved was at first only imagined!