Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder4.news.weretis.net!rt.uk.eu.org!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <python@mrabarnett.plus.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.004
X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'subject:error': 0.03; 'causing': 0.04; 'resulting': 0.04; 'syntax': 0.04; 'insert': 0.05; '[0]': 0.09; 'dan': 0.09; 'subject:version': 0.09; '%s,': 0.16; 'corresponds': 0.16; 'doing,': 0.16; 'from:addr:mrabarnett.plus.com': 0.16; 'from:addr:python': 0.16; 'from:name:mrab': 0.16; 'message-id:@mrabarnett.plus.com': 0.16; 'subject: \n ': 0.16; 'wrote:': 0.18; 'library': 0.18; 'passing': 0.19; 'meant': 0.20; 'handles': 0.22; 'manual': 0.22; 'header :User-Agent:1': 0.23; 'error': 0.23; '"you': 0.24; 'integrate': 0.24; "shouldn't": 0.24; 'unicode': 0.24; 'mon,': 0.24; 'cheers,': 0.24; "haven't": 0.24; 'looks': 0.24; 'daniel': 0.26; 'query': 0.26; 'second': 0.26; 'pass': 0.26; 'values': 0.27; 'header:In- Reply-To:1': 0.27; 'dec': 0.30; 'see,': 0.30; 'statement': 0.30; "i'm": 0.30; 'lines': 0.31; 'url:wiki': 0.31; 'quotes': 0.31; 'subject:that': 0.31; 'url:wikipedia': 0.31; 'yourself.': 0.31; 'guess': 0.33; 'subject:the': 0.34; 'common': 0.35; 'problem.': 0.35; 'skip:u 20': 0.35; 'version': 0.36; 'url:org': 0.36; 'being': 0.38; 'server': 0.38; 'to:addr:python-list': 0.38; 'sure': 0.39; 'to:addr:python.org': 0.39; 'how': 0.40; 'full': 0.61; 'new': 0.61; "you're": 0.61; "you'll": 0.62; 'skip:n 10': 0.64; 'header:Reply-To:1': 0.67; 'combining': 0.68; 'reply-to:no real name:2**0': 0.71; 'subject:your': 0.76; '100%': 0.77; 'subject:have': 0.80; 'reply-to:addr:python.org': 0.84; 'subject:SQL': 0.84; 'subject:check': 0.84; 'subject:NEW': 0.91; '2013': 0.98
X-CM-Score: 0.00
X-CNFS-Analysis: v=2.1 cv=C6LQl2/+ c=1 sm=1 tr=0 a=0nF1XD0wxitMEM03M9B4ZQ==:117 a=0nF1XD0wxitMEM03M9B4ZQ==:17 a=0Bzu9jTXAAAA:8 a=OJn0C7AadrgA:10 a=uSAaYV4nxT4A:10 a=ihvODaAuJD4A:10 a=OUOv7kDek9cA:10 a=8nJEP1OIZ-IA:10 a=EBOSESyhAAAA:8 a=8AHkEIZyAAAA:8 a=VUHZfU-Y8wIA:10 a=8pif782wAAAA:8 a=L_f1jEz2gb0w0YtjyOUA:9 a=wPNLvfGTeEIA:10
X-AUTH: mrabarnett:2500
Date: Mon, 09 Dec 2013 18:06:21 +0000
From: MRAB <python@mrabarnett.plus.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: python-list@python.org
Subject: Re: ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'S SIZE 11.5 NEW IN BOX', '$49.99')' at line 1")
References: <6b73a879-b490-48cb-a896-4d4abee90bf5@googlegroups.com> <20131209093204.GV22882@daniel-watkins.co.uk>
In-Reply-To: <20131209093204.GV22882@daniel-watkins.co.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: python-list@python.org
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.3786.1386612381.18130.python-list@python.org>
Lines: 42
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1386612381 news.xs4all.nl 2929 [2001:888:2000:d::a6]:58364
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:61400

On 09/12/2013 09:32, Daniel Watkins wrote:
> On Mon, Dec 09, 2013 at 12:41:57AM -0800, Jai wrote:
>>         sql = """insert into `category` (url, catagory,price) VAlUES ('%s', '%s', '%s')"""%(link1,x,y)
>>         sql = unicodedata.normalize('NFKD', sql).encode('ascii','ignore')
>>         cursor.execute(sql)
>>
>> ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'S SIZE 11.5 NEW IN BOX', '$49.99')' at line 1")
>
> Though you haven't given the full traceback, I suspect that the lines
> above are what is causing your problem.  My best guess is that you're
> being hit by a form of SQL injection[0], in that the values you are
> combining in to your query have single quotes which are resulting in an
> SQL statement that looks like:
>
>      insert into `category` (url, category, price) VALUES ('...', 'MEN'S SIZE 11.5 NEW IN BOX', '$49.99');
>
> As you can see, the second value you are passing has mismatched quotes.
> This is a common problem, so the MySQLdb library handles it by allowing
> you to pass in the values you want to cursor.execute; it then takes care
> of escaping them correctly:
>
>      sql = """insert into `category` (url, catagory,price) VAlUES ('%s', '%s', '%s')"""
>      cursor.execute(sql, (link1, x, y))
>
You shouldn't put quotes around the placeholders:

     sql = """insert into `category` (url, catagory,price) VAlUES (%s, 
%s, %s)"""
     cursor.execute(sql, (link1, x, y))

> I'm not 100% sure what the Unicode normalisation is meant to be doing,
> so you'll have to work out how to integrate that yourself.
>
>
> Cheers,
>
> Dan
>
>
> [0] https://en.wikipedia.org/wiki/SQL_injection
>