Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #73597
| Date | 2014-06-26 00:29 +0100 |
|---|---|
| From | MRAB <python@mrabarnett.plus.com> |
| Subject | Re: protect psycopg script from sql injection? |
| References | <CAHByMH0PZKRrie3co9JSUhfr-VufCxO-Jy1K42tAjGvt2mifYg@mail.gmail.com> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.11247.1403738987.18130.python-list@python.org> (permalink) |
On 2014-06-25 22:58, celati Laurent wrote:
> Hello,
>
> I coded this following python script via psycopg;
>
> web_service_test.py
> <http://python.6.x6.nabble.com/file/n5062113/web_service_test.py>
>
> 1/ When i execute it, the result is 'bad resquest'. Could you tell me why?
>
> 2/ Could you tell me how to protect this script from SQL injections please?
>
In answer to question 2, don't insert the values into the query string
as you're doing here:
selectString = "SELECT ST_AsText(geom), cult_lib FROM rpg WHERE
ST_Intersects(SELECT ST_GeomFromText('POINT(%s %s)',2154), rpg)" % (x, y)
Instead, use the placeholder %s in the query string to indicate where a
values should go and then pass that query string and a tuple of the
values to the .execute method:
selectString = "SELECT ST_AsText(geom), cult_lib FROM rpg WHERE
ST_Intersects(SELECT ST_GeomFromText('POINT(%s %s)',2154), rpg)"
cur.execute(selectString, (x, y))
The database engine will insert the values itself, safely.
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: protect psycopg script from sql injection? MRAB <python@mrabarnett.plus.com> - 2014-06-26 00:29 +0100
csiph-web