On 14 kol, 00:14, Philip Semanchuk <phi...@semanchuk.com> wrote: > On Aug 13, 2009, at 6:00 PM, azrael wrote: > > > > > > > On 13 kol, 22:09, Philip Semanchuk <phi...@semanchuk.com> wrote: > >> On Aug 13, 2009, at 2:56 PM, azrael wrote: > > >>>>>> j > >>> [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna'] > >>>>>> len(j) > >>> 5 > >>>>>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija, > >>>>>> d.id_drzava, v.id_valuta FROM ulica as u, opcina as o, zupanija > >>>>>> as z, drzava as d, valuta as v WHERE u.naziv = '%s' AND o.naziv > >>>>>> = '%s' AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv = > >>>>>> '%s'""" % (j) > >>> Traceback (most recent call last): > >>> File "<string>", line 1, in <string> > >>> TypeError: not enough arguments for format string > > >> Hi azrael, > >> You already have an answer to your question so I won't address > >> that. I > >> want to point out that this is a dangerous way to build SQL > >> statements. > > >> For instance, what happens if someone enters a city name of L'viv? > >> Your SQL will break due to mismatched single quotes. This kind of > >> code > >> is vulnerable to SQL injection > >> attacks:http://en.wikipedia.org/wiki/SQL_injection > > >> Parameterized SQL is safer. Googling for 'parameterized SQL Python' > >> should find some examples for you. > > >> Good luck > >> Philip > > > I know Already. This is sopussed to be a small office application > > connecting on a LAN mysql server with no web connection. Thank you > > anyway > > You're welcome. I'm glad you are aware. You're ahead of a lot of > developers out there. > > I encourage you to at least think about using parameterized SQL anyway > because you never know when someone (maybe even you!) will copy & > paste your code, or use your library without realizing that it was > "internal use only". It's usually just as easy as building SQL strings > anyway. > > And besides, what about L'viv? =) > > Good luck with whatever choice you make > Philip
Currently I am working on just a prototype to show what is possible to be done to get me some fundings for my future work. after that I will get over to an SQL Alchemy. It's ORM will take over this business for me. A lot of people a not aware of SQL injection. My friend from college asked me and a couple of other guys for Pen testing of an website. His SQL injection mistake made him an epic fail. Thanks -- http://mail.python.org/mailman/listinfo/python-list
