On 16/6/2013 1:51 πμ, Chris Angelico wrote:
On Sun, Jun 16, 2013 at 6:29 AM, Benjamin Schollnick
<benja...@schollnick.net> wrote:
cur.execute('''SELECT ID FROM counters WHERE url = %s''', page )
cur.execute('''INSERT INTO counters (url) VALUES (%s)''', page )
Sure, whoever wrote that code is a fool.
http://xkcd.com/327/
They didn't sanitize your database inputs.
I assume you're talking about the above two lines of code? They're not
SQL injection targets.
Then how those page entries found in the database Chris?
The clue is that the %s isn't in quotes.
What happens if i write it like this?
cur.execute('''SELECT ID FROM counters WHERE url = "%s"''', page )
How quoting of %s helps here?
This is an out-of-band argument passing method (actually, since he's using
MySQL (IIRC), it's probably just going to escape it and pass it on
through, but it comes to the same thing), so it's safe.
Yes iam using a comma and not a substitute operator, so input is mysql
validates.
Please explain what is an "out-of-band argument passing method"
What your idea of those entries made it to the counters database table?
--
What is now proved was at first only imagined!
--
http://mail.python.org/mailman/listinfo/python-list
