Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!news.stack.nl!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.001
X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'subject:not': 0.03; '16,': 0.03; 'argument': 0.05; "subject:' ": 0.07; 'escape': 0.09; 'subject:Why': 0.09; 'subject:into': 0.09; 'sure,': 0.09; 'assume': 0.14; 'wrote': 0.14; 'benjamin': 0.16; 'code?': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'subject:format': 0.16; 'through,': 0.16; 'wrote:': 0.18; 'passing': 0.19; 'pass': 0.26; 'values': 0.27; 'header:In-Reply- To:1': 0.27; 'am,': 0.29; 'message-id:@mail.gmail.com': 0.30; 'code': 0.31; 'lines': 0.31; 'probably': 0.32; 'subject:the': 0.34; 'but': 0.35; 'received:google.com': 0.35; "he's": 0.36; "didn't": 0.36; 'method': 0.36; 'subject:?': 0.36; 'two': 0.37; 'to:addr:python-list': 0.38; 'to:addr:python.org': 0.39; "you're": 0.61; 'talking': 0.65; '(url)': 0.84; 'safe.': 0.84; '2013': 0.98
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=s4m0A52CVM7ZznID7Ep5+C5pEqbmJRaluv2AtQ/fpD0=; b=jJxYTQaN0XGytWhd3ogYpZ+p85XyF5TlUssQVzXGOY0GXZ3fIjqBS+KL8TFlSbmLBs T5E8sNzGIoNc8RmPXrBzHfsKhYwVawJSlrnlePIl88ImGjduJ0W3cXuOELkgohTbNzXU n4yOcOMAKFQ4aqapB96gnIK1zBJ+zJAEPbQmqoahgUZn3EmF8Gtw+LGAl3HQg49xDOg8 dtLCeFfM9i5LynKQzUYjrN+oJqwd2qG7Y2jbBUBSLjv3E6V5KIpv43c0y5OEo7yUalT+ uaTR2MmXsyAbYhrJTJFVNZ/usFnyXhdFxthB4Tu62eXftssK7d1gJouo4tS0bKkvAbrO A0gw==
MIME-Version: 1.0
X-Received: by 10.220.48.17 with SMTP id p17mr1656656vcf.97.1371336701095; Sat, 15 Jun 2013 15:51:41 -0700 (PDT)
In-Reply-To: <BCCFA72E-13C7-4A2C-A73B-BB40F263F537@schollnick.net>
References: <kpifru$3kp$3@news.ntua.gr> <mailman.3401.1371325647.3114.python-list@python.org> <kpigkm$1j17$1@news.ntua.gr> <BCCFA72E-13C7-4A2C-A73B-BB40F263F537@schollnick.net>
Date: Sun, 16 Jun 2013 08:51:41 +1000
Subject: Re: Why 'files.py' does not print the filenames into a table format?
From: Chris Angelico <rosuav@gmail.com>
To: python-list@python.org
Content-Type: text/plain; charset=ISO-8859-1
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.3416.1371336710.3114.python-list@python.org>
Lines: 18
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1371336710 news.xs4all.nl 15863 [2001:888:2000:d::a6]:37673
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:48381

On Sun, Jun 16, 2013 at 6:29 AM, Benjamin Schollnick
<benjamin@schollnick.net> wrote:
> cur.execute('''SELECT ID FROM counters WHERE url = %s''', page )
> cur.execute('''INSERT INTO counters (url) VALUES (%s)''', page )
>
> Sure, whoever wrote that code is a fool.
>
> http://xkcd.com/327/
>
> They didn't sanitize your database inputs.

I assume you're talking about the above two lines of code? They're not
SQL injection targets. The clue is that the %s isn't in quotes. This
is an out-of-band argument passing method (actually, since he's using
MySQL (IIRC), it's probably just going to escape it and pass it on
through, but it comes to the same thing), so it's safe.

ChrisA