Escaping confusion with Python 3 + MySQL
Steve D'Aprano
steve+python at pearwood.info
Sun Mar 26 11:03:04 EDT 2017
On Mon, 27 Mar 2017 12:52 am, Νίκος Βέργος wrote:
> cur.execute('''UPDATE visitors SET (pagesID, host, ref, location, useros,
> browser, visits) VALUES ({}, {}, {}, {}, {}, {}, {}) WHERE host LIKE
> "{}"'''.format(pID, domain, ref, location, useros, browser, lastvisit,
> domain) )
>
> Same kind of output in the error-log even with this attempt.
Don't do that! Even if you fix the SQL errors, this is vulnerable to code
injection attacks. If the caller can fool you into using a specially-made
string for any of those parameters (pID, domain, ref, ...) they can execute
any SQL code they like, without your knowledge.
https://xkcd.com/327/
http://www.explainxkcd.com/wiki/index.php/Little_Bobby_Tables
See also:
http://bobby-tables.com/
--
Steve
“Cheer up,” they said, “things could be worse.” So I cheered up, and sure
enough, things got worse.
More information about the Python-list
mailing list