Path: csiph.com!usenet.pasdenom.info!gegeweb.org!de-l.enfer-du-nord.net!feeder1.enfer-du-nord.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.001 X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'python,': 0.02; 'insert': 0.05; 'nasty': 0.07; 'string': 0.09; 'filename': 0.09; 'suggestions:': 0.09; 'python': 0.11; 'assume': 0.14; 'wrote': 0.14; 'random': 0.14; '"%s"': 0.16; '%s,': 0.16; '(host,': 0.16; 'comma': 0.16; 'executed.': 0.16; 'filename)': 0.16; 'filenames.': 0.16; 'from:addr:mrabarnett.plus.com': 0.16; 'from:addr:python': 0.16; 'from:name:mrab': 0.16; 'hits': 0.16; 'message- id:@mrabarnett.plus.com': 0.16; 'quoted': 0.16; 'subject:failed': 0.16; 'substitute': 0.16; 'url:filename': 0.16; 'url:py': 0.16; 'wrote:': 0.18; 'seems': 0.21; 'select': 0.22; 'rules': 0.22; 'header:User-Agent:1': 0.23; 'apply.': 0.24; 'own.': 0.24; 'looks': 0.24; 'query': 0.26; 'pass': 0.26; 'values': 0.27; 'header:In-Reply-To:1': 0.27; 'tried': 0.27; 'host': 0.29; 'generally': 0.29; 'thus': 0.29; "doesn't": 0.30; 'forgot': 0.30; 'statement': 0.30; 'quotes': 0.31; 'file': 0.32; 'probably': 0.32; 'checking': 0.33; 'guess': 0.33; 'plain': 0.33; 'subject:time': 0.33; 'table': 0.34; 'could': 0.34; 'problem.': 0.35; 'but': 0.35; 'i.e.': 0.36; 'opposed': 0.36; 'list': 0.37; 'being': 0.38; 'actions': 0.38; 'needed': 0.38; 'to:addr:python-list': 0.38; 'files': 0.38; 'to:addr:python.org': 0.39; "you're": 0.61; 'name': 0.63; 'such': 0.63; 'more': 0.64; 'different': 0.65; 'url:cgi- bin': 0.65; 'here': 0.66; 'header:Reply-To:1': 0.67; 'yes': 0.68; 'reply-to:no real name:2**0': 0.71; 'safe': 0.72; 'protect': 0.79; 'as:': 0.81; 'reply-to:addr:python.org': 0.84; 'from.': 0.93 X-CM-Score: 0.00 X-CNFS-Analysis: v=2.1 cv=KrN0hwmN c=1 sm=1 tr=0 a=0nF1XD0wxitMEM03M9B4ZQ==:117 a=0nF1XD0wxitMEM03M9B4ZQ==:17 a=0Bzu9jTXAAAA:8 a=oyR3mlnJdzkA:10 a=WOYJk9YmNnIA:10 a=ihvODaAuJD4A:10 a=OUOv7kDek9cA:10 a=IkcTkHD0fZMA:10 a=EBOSESyhAAAA:8 a=8AHkEIZyAAAA:8 a=HDl4q-BBNugA:10 a=NXsfvHnzAAAA:8 a=2A4ztTOWbkqxfaG1wMsA:9 a=QEXdDO2ut3YA:10 X-AUTH: mrabarnett:2500 Date: Mon, 17 Jun 2013 19:47:30 +0100 From: MRAB User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: python-list@python.org Subject: Re: Updating a filename's counter value failed each time References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: python-list@python.org List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 49 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1371494836 news.xs4all.nl 15879 [2001:888:2000:d::a6]:47370 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:48552 On 17/06/2013 19:32, Jens Thoms Toerring wrote: > Νίκος wrote: >> On 17/6/2013 8:54 μμ, Jens Thoms Toerring wrote: >> > Also take care to check the filename you insert - a malicous >> > user might cobble together a file name that is actually a SQL >> > statement and then do nasty things to your database. I.e. never >> > insert values you received from a user without checking them. > >> Yes in generally user iput validation is needed always, but here here >> the filename being selected is from an html table list of filenames. > >> But i take it you eman that someone might tried it to pass a bogus >> "filename" value from the url like: > >> http://superhost.gr/cgi-bin/files.py?filename="Select....." > >> Si that what you mean? > > Well, you neer wrote where this filename is coming from. > so all I could assume was that the user can enter a more > or less random file name. If he only can select one from > a list you put together there's probably less of a problem. > >> But the comma inside the execute statement doesn't protect me from such >> actions opposed when i was using a substitute operator? > >> > I would guess because you forgot the uotes around string >> > values in your SQL statement which thus wasn't executed. > >> i tried you suggestions: > >> cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit = >> %s WHERE url = "%s"''', (host, lastvisit, filename) ) > >> seems the same as: > >> cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit = >> %s WHERE url = %s''', (host, lastvisit, filename) ) > >> since everything is tripled quoted already what would the difference be >> in "%s" opposed to plain %s ? > > As I wrote you need *single* quotes around strings in > SQL statements. Double quotes won't do - this is SQL > and not Python so you're dealing with a different lan- > guage and thus different rules apply. The triple single > quotes are seen by Python, but SQL needs its own. > The query looks safe to me as he _is_ using a parametrised query.