[Tutor] postgreSQL + psycopg2
Danny Yoo
dyoo at hashcollision.org
Tue May 10 15:37:28 EDT 2016
> here is the result.
>
> 1
> ('Supervisor',)
> <tr>
> <td>1</td>
> <td>Vinayak</td>
> <td>Salunke</td>
> <td>1</td>
>
> Now I need to remove the braces and quotes .. :)
By the way, be very careful about generating HTML via naive string
concatenation. If you can use a template engine such as Jinja
(http://jinja.pocoo.org/), please do so.
The main problem here is that the content you're using from the
database might have characters that look "html"-ish, in which case the
use of string concatenation is a vector for a Bobby-tables-like
injection attack.
https://xkcd.com/327/
If you can't use a templating engine that knows about HTML escaping,
then you still need to add html escaping where the rows are being
constructed here:
for row in line1:
print """<td>"""+str(row)+"""</td>"""
See: https://docs.python.org/3/library/html.html#html.escape
Basically, any place where something "structured" (SQL queries, HTML)
is being constructed from something unstructured (string
concatenation), that's where injection attacks like to live. Be
careful.
Hope this helps!
More information about the Tutor
mailing list