Updating a filename's counter value failed each time

Alister alister.ware at ntlworld.com
Mon Jun 17 16:43:12 EDT 2013 

On Mon, 17 Jun 2013 20:26:57 +0000, Alister wrote:

> On Mon, 17 Jun 2013 22:30:57 +0300, Νίκος wrote:
> 
>> On 17/6/2013 10:05 μμ, Alister wrote:
>>> You are correct Nicos, passing the values as a parameter list does
>>> protect you from SQL injection JT has made an error.
>> 
>> Even if the query is somehting like:
>> 
>> http://superhost.gr/cgi-bin/files.py?filename="Select....."
>> 
>>  From what exactly the comma protects me for?
>> 
>> What id=f the user passes data to filename variable throgh url? Will
>> comma understand that?
>> How can it tell form a normal filename opposes to a select statemnt
>> acting as a filename value?
> 
> this is because the execute method is written to escape the contents of
> the parameter list.
> if you want more information you really do need to read either the
> documentation or a good tutorial which would explain things far better
> than I can
> 
> otherwise prove it to yourself by creating a dummy database & trying it
> 
> Make sure you are NOT using your production database so you do not risk
> any real data


Some very crude code using sqlite to demonstrate the principle (sqlite 
uses ? as a wild card instead of %s):

import sqlite3 as sql

db=sql.connect(':memory:')

makedb="CREATE TABLE `TEST` (data text)"
cursor=db.cursor()
cursor.execute(makedb)
gooddata="safe text"
baddata ="');drop table TEST"
cursor.execute("INSERT INTO TEST VALUES (?)",[baddata])
cursor.execute('SELECT * from TEST')
print cursor.fetchall()
cursor.execute("INSERT INTO TEST VALUES ('%s')"%gooddata)
cursor.execute('SELECT * from TEST')
print cursor.fetchall()
cursor.execute("INSERT INTO TEST VALUES ('%s')"%baddata)
cursor.execute('SELECT * from TEST')
print cursor.fetchall()

the 1st 2 inserts will both work & reasonable data will be printed.
the 2nd will fail because sqlite does not allow multiple commands to be 
chained, if this was run in mysql then the table test would be deleted
-- 
"For a male and female to live continuously together is...  biologically 
speaking, an extremely unnatural condition."
-- Robert Briffault

More information about the Python-list mailing list