Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #48552

Re: Updating a filename's counter value failed each time

Path csiph.com!usenet.pasdenom.info!gegeweb.org!de-l.enfer-du-nord.net!feeder1.enfer-du-nord.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path <python@mrabarnett.plus.com>
X-Original-To python-list@python.org
Delivered-To python-list@mail.python.org
X-Spam-Status OK 0.001
X-Spam-Evidence '*H*': 1.00; '*S*': 0.00; 'python,': 0.02; 'insert': 0.05; 'nasty': 0.07; 'string': 0.09; 'filename': 0.09; 'suggestions:': 0.09; 'python': 0.11; 'assume': 0.14; 'wrote': 0.14; 'random': 0.14; '"%s"': 0.16; '%s,': 0.16; '(host,': 0.16; 'comma': 0.16; 'executed.': 0.16; 'filename)': 0.16; 'filenames.': 0.16; 'from:addr:mrabarnett.plus.com': 0.16; 'from:addr:python': 0.16; 'from:name:mrab': 0.16; 'hits': 0.16; 'message- id:@mrabarnett.plus.com': 0.16; 'quoted': 0.16; 'subject:failed': 0.16; 'substitute': 0.16; 'url:filename': 0.16; 'url:py': 0.16; 'wrote:': 0.18; 'seems': 0.21; 'select': 0.22; 'rules': 0.22; 'header:User-Agent:1': 0.23; 'apply.': 0.24; 'own.': 0.24; 'looks': 0.24; 'query': 0.26; 'pass': 0.26; 'values': 0.27; 'header:In-Reply-To:1': 0.27; 'tried': 0.27; 'host': 0.29; 'generally': 0.29; 'thus': 0.29; "doesn't": 0.30; 'forgot': 0.30; 'statement': 0.30; 'quotes': 0.31; 'file': 0.32; 'probably': 0.32; 'checking': 0.33; 'guess': 0.33; 'plain': 0.33; 'subject:time': 0.33; 'table': 0.34; 'could': 0.34; 'problem.': 0.35; 'but': 0.35; 'i.e.': 0.36; 'opposed': 0.36; 'list': 0.37; 'being': 0.38; 'actions': 0.38; 'needed': 0.38; 'to:addr:python-list': 0.38; 'files': 0.38; 'to:addr:python.org': 0.39; "you're": 0.61; 'name': 0.63; 'such': 0.63; 'more': 0.64; 'different': 0.65; 'url:cgi- bin': 0.65; 'here': 0.66; 'header:Reply-To:1': 0.67; 'yes': 0.68; 'reply-to:no real name:2**0': 0.71; 'safe': 0.72; 'protect': 0.79; 'as:': 0.81; 'reply-to:addr:python.org': 0.84; 'from.': 0.93
X-CM-Score 0.00
X-CNFS-Analysis v=2.1 cv=KrN0hwmN c=1 sm=1 tr=0 a=0nF1XD0wxitMEM03M9B4ZQ==:117 a=0nF1XD0wxitMEM03M9B4ZQ==:17 a=0Bzu9jTXAAAA:8 a=oyR3mlnJdzkA:10 a=WOYJk9YmNnIA:10 a=ihvODaAuJD4A:10 a=OUOv7kDek9cA:10 a=IkcTkHD0fZMA:10 a=EBOSESyhAAAA:8 a=8AHkEIZyAAAA:8 a=HDl4q-BBNugA:10 a=NXsfvHnzAAAA:8 a=2A4ztTOWbkqxfaG1wMsA:9 a=QEXdDO2ut3YA:10
X-AUTH mrabarnett:2500
Date Mon, 17 Jun 2013 19:47:30 +0100
From MRAB <python@mrabarnett.plus.com>
User-Agent Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version 1.0
To python-list@python.org
Subject Re: Updating a filename's counter value failed each time
References <kpne3k$1066$1@news.ntua.gr> <b290qpFm23aU1@mid.uni-berlin.de> <kpnj6o$av7$4@news.grnet.gr> <b2932qFmru6U1@mid.uni-berlin.de>
In-Reply-To <b2932qFmru6U1@mid.uni-berlin.de>
Content-Type text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding 8bit
X-BeenThere python-list@python.org
X-Mailman-Version 2.1.15
Precedence list
Reply-To python-list@python.org
List-Id General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive <http://mail.python.org/pipermail/python-list/>
List-Post <mailto:python-list@python.org>
List-Help <mailto:python-list-request@python.org?subject=help>
List-Subscribe <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups comp.lang.python
Message-ID <mailman.3493.1371494836.3114.python-list@python.org> (permalink)
Lines 49
NNTP-Posting-Host 2001:888:2000:d::a6
X-Trace 1371494836 news.xs4all.nl 15879 [2001:888:2000:d::a6]:47370
X-Complaints-To abuse@xs4all.nl
Xref csiph.com comp.lang.python:48552

Show key headers only | View raw

On 17/06/2013 19:32, Jens Thoms Toerring wrote:
> Νίκος <support@superhost.gr> wrote:
>> On 17/6/2013 8:54 μμ, Jens Thoms Toerring wrote:
>> > Also take care to check the filename you insert - a malicous
>> > user might cobble together a file name that is actually a SQL
>> > statement and then do nasty things to your database. I.e. never
>> > insert values you received from a user without checking them.
>
>> Yes in generally user iput validation is needed always, but here here
>> the filename being selected is from an html table list of filenames.
>
>> But i take it you eman that someone might tried it to pass a bogus
>> "filename" value from the url like:
>
>> http://superhost.gr/cgi-bin/files.py?filename="Select....."
>
>> Si that what you mean?
>
> Well, you neer wrote where this filename is coming from.
> so all I could assume was that the user can enter a more
> or less random file name. If he only can select one from
> a list you put together there's probably less of a problem.
>
>> But the comma inside the execute statement doesn't protect me from such
>> actions opposed when i was using a substitute operator?
>
>> > I would guess because you forgot the uotes around string
>> > values in your SQL statement which thus wasn't executed.
>
>> i tried you suggestions:
>
>> cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit =
>> %s WHERE url = "%s"''', (host, lastvisit, filename) )
>
>> seems the same as:
>
>> cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit =
>> %s WHERE url = %s''', (host, lastvisit, filename) )
>
>> since everything is tripled quoted already what would the difference be
>> in "%s" opposed to plain %s ?
>
> As I wrote you need *single* quotes around strings in
> SQL statements. Double quotes won't do - this is SQL
> and not Python so you're dealing with a different lan-
> guage and thus different rules apply. The triple single
> quotes are seen by Python, but SQL needs its own.
>
The query looks safe to me as he _is_ using a parametrised query.

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Updating a filename's counter value failed each time Simpleton <support@superhost.gr> - 2013-06-17 19:39 +0300
  Re: Updating a filename's counter value failed each time MRAB <python@mrabarnett.plus.com> - 2013-06-17 18:40 +0100
    Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-17 20:51 +0300
  Re: Updating a filename's counter value failed each time John Gordon <gordon@panix.com> - 2013-06-17 17:40 +0000
  Re: Updating a filename's counter value failed each time jt@toerring.de (Jens Thoms Toerring) - 2013-06-17 17:54 +0000
    Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-17 21:06 +0300
      Re: Updating a filename's counter value failed each time jt@toerring.de (Jens Thoms Toerring) - 2013-06-17 18:32 +0000
        Re: Updating a filename's counter value failed each time MRAB <python@mrabarnett.plus.com> - 2013-06-17 19:47 +0100
          Re: Updating a filename's counter value failed each time jt@toerring.de (Jens Thoms Toerring) - 2013-06-17 19:16 +0000
            Re: Updating a filename's counter value failed each time Alister <alister.ware@ntlworld.com> - 2013-06-17 20:33 +0000
      Re: Updating a filename's counter value failed each time Alister <alister.ware@ntlworld.com> - 2013-06-17 19:05 +0000
        Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-17 22:30 +0300
          Re: Updating a filename's counter value failed each time Alister <alister.ware@ntlworld.com> - 2013-06-17 20:26 +0000
            Re: Updating a filename's counter value failed each time Alister <alister.ware@ntlworld.com> - 2013-06-17 20:43 +0000
    Re: Updating a filename's counter value failed each time Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-06-17 19:30 -0400
      Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-18 03:25 +0300
  Re: Updating a filename's counter value failed each time John Gordon <gordon@panix.com> - 2013-06-17 19:19 +0000
    Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-17 22:28 +0300
      Re: Updating a filename's counter value failed each time Alister <alister.ware@ntlworld.com> - 2013-06-17 20:39 +0000
        Re: Updating a filename's counter value failed each time John Gordon <gordon@panix.com> - 2013-06-17 20:44 +0000
          Re: Updating a filename's counter value failed each time Alister <alister.ware@ntlworld.com> - 2013-06-17 20:49 +0000
          Re: Updating a filename's counter value failed each time MRAB <python@mrabarnett.plus.com> - 2013-06-17 23:22 +0100
            Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-18 02:11 +0300
              Re: Updating a filename's counter value failed each time Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-06-17 21:42 -0400
                Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-18 08:49 +0300
                Re: Updating a filename's counter value failed each time Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-06-18 19:56 -0400
              Re: Updating a filename's counter value failed each time Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-06-17 22:01 -0400
  Re: Updating a filename's counter value failed each time Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-06-17 23:18 +0000
  Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-18 03:22 +0300

csiph-web