On 16/6/2013 1:51 πμ, Chris Angelico wrote:
On Sun, Jun 16, 2013 at 6:29 AM, Benjamin Schollnick
<benja...@schollnick.net> wrote:
cur.execute('''SELECT ID FROM counters WHERE url = %s''', page )
cur.execute('''INSERT INTO counters (url) VALUES (%s)''', page )
Sure, whoever wrote that code is a fool.
http://xkcd.com/327/
They didn't sanitize your database inputs.
I assume you're talking about the above two lines of code? They're not
SQL injection targets. The clue is that the %s isn't in quotes. This
is an out-of-band argument passing method (actually, since he's using
MySQL (IIRC), it's probably just going to escape it and pass it on
through, but it comes to the same thing), so it's safe.
ChrisA
Here is how i think i have dealt with it:
=================
path = '/home/nikos/public_html/'
cgi_path = '/home/nikos/public_html/cgi-bin/'
file = form.getvalue('file') # this comes from .htaccess
page = form.getvalue('page') # this comes form index.html or metrites.py
if not page and os.path.exists( file ):
# it is an html template
page = file.replace( path, '' )
.....
.....
#find the needed counter for the page URL
if os.path.exists( path + page ) or os.path.exists( cgi_path + page ):
cur.execute('''SELECT ID FROM counters WHERE url = %s''', page )
data = cur.fetchone() #URL is unique
==================
Do you think i'am sfae now from those kind of attacks?
Do you see some other way, better, to write the above?
--
What is now proved was at first only imagined!
--
http://mail.python.org/mailman/listinfo/python-list
