On 16/6/2013 1:51 πμ, Chris Angelico wrote:
On Sun, Jun 16, 2013 at 6:29 AM, Benjamin Schollnick
<benja...@schollnick.net> wrote:
cur.execute('''SELECT ID FROM counters WHERE url = %s''', page )
cur.execute('''INSERT INTO counters (url) VALUES (%s)''', page )
Sure, whoever wrote that code is a fool.
http://xkcd.com/327/
They didn't sanitize your database inputs.
I assume you're talking about the above two lines of code? They're not
SQL injection targets. The clue is that the %s isn't in quotes. This
is an out-of-band argument passing method (actually, since he's using
MySQL (IIRC), it's probably just going to escape it and pass it on
through, but it comes to the same thing), so it's safe.
ChrisA
Chris or someone else please explain a bit whats happening here because
that list is getting bigger and bigger as we speak.
look: http://superhost.gr/?show=stats
At least i have secured 'pelatologio.py' form prying eyes.
--
What is now proved was at first only imagined!
--
http://mail.python.org/mailman/listinfo/python-list
