Updating a filename's counter value failed each time

[Νίκος]

On 17/6/2013 8:54 μμ, Jens Thoms Toerring wrote:
> Also take care to check the filename you insert - a malicous
> user might cobble together a file name that is actually a SQL
> statement and then do nasty things to your database. I.e. never
> insert values you received from a user without checking them.

Yes in generally user iput validation is needed always, but here here 
the filename being selected is from an html table list of filenames.

But i take it you eman that someone might tried it to pass a bogus 
"filename" value from the url like:

http://superhost.gr/cgi-bin/files.py?filename="Select....."

Si that what you mean?

But the comma inside the execute statement doesn't protect me from such 
actions opposed when i was using a substitute operator?

> I would guess because you forgot the uotes around string
> values in your SQL statement which thus wasn't executed.

i tried you suggestions:

cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit = 
%s WHERE url = "%s"''', (host, lastvisit, filename) )

seems the same as:

cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit = 
%s WHERE url = %s''', (host, lastvisit, filename) )

since everything is tripled quoted already what would the difference be 
in "%s" opposed to plain %s ?

-- 
What is now proved was at first only imagined!