Updating a filename's counter value failed each time

[Alister]

On Mon, 17 Jun 2013 22:30:57 +0300, Νίκος wrote:

> On 17/6/2013 10:05 μμ, Alister wrote:
>> You are correct Nicos, passing the values as a parameter list does
>> protect you from SQL injection JT has made an error.
> 
> Even if the query is somehting like:
> 
> http://superhost.gr/cgi-bin/files.py?filename="Select....."
> 
>  From what exactly the comma protects me for?
> 
> What id=f the user passes data to filename variable throgh url? Will
> comma understand that?
> How can it tell form a normal filename opposes to a select statemnt
> acting as a filename value?

this is because the execute method is written to escape the contents of 
the parameter list.
if you want more information you really do need to read either the 
documentation or a good tutorial which would explain things far better 
than I can 

otherwise prove it to yourself by creating a dummy database & trying it

Make sure you are NOT using your production database so you do not risk 
any real data


-- 
Being a BALD HERO is almost as FESTIVE as a TATTOOED KNOCKWURST.