Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #3476

Re: strange use of %s

References <4dabf65a$0$18250$4fafbaef@reader2.news.tin.it>
Date 2011-04-18 18:50 +1000
Subject Re: strange use of %s
From Chris Angelico <rosuav@gmail.com>
Newsgroups comp.lang.python
Message-ID <mailman.506.1303116643.9059.python-list@python.org> (permalink)

Show all headers | View raw

On Mon, Apr 18, 2011 at 6:29 PM, Tracubik <affdfsdfdsfsd@b.com> wrote:
> Hi all,
> i'm reading a python tutorial in Ubuntu's Full Circle Magazine and i've
> found this strange use of %s:
>
> sql = "SELECT pkid,name,source,servings FROM Recipes WHERE name like '%%%s%
> %'" %response
>
> response is a string. I've newbie in sql.
>
> why do the coder use %%%s%% instead of a simple %s?
> why he also use the ''?

Python supports printf-style filling-in of strings. Simple example:

print "Hello, %s!" % "world"

You can also use %d for decimal numbers, %x for hex, and so on (%s
means string). One consequence of this is that the percent character
needs to be escaped - so to display a percentage, you would use
something like:

print "Current progress: %d %%" % 72

which will display "Current progress: 72 %". The percent sign outside
the quotes is the operator.

In the SQL example, the response is bracketed by percent signs. So if
response is "beef", the sql variable will be set to "SELECT
pkid,name,source,servings FROM Recipes WHERE name like '%beef%" -
which is the correct SQL syntax to search for the string 'beef'
anywhere inside the name (the percent signs there are like an asterisk
in a glob).

See for instance:
http://docs.python.org/library/stdtypes.html#string-formatting-operations
http://www.w3schools.com/sql/sql_like.asp

There's a serious issue in this code, in that it allows dodgy
responses to embed SQL code. I don't know what your context is, but
embedding what appears to be a user-provided response unsanitized into
an SQL statement is asking for SQL injection exploits down the track.

http://en.wikipedia.org/wiki/SQL_injection

If it's just a toy for demonstrative purposes that's fine, but it's
good to be aware of these issues. Check out the library you're using
for database access; it's quite possible that you'll be able to embed
variable references in a different way, and let the library escape
them for you - otherwise, look for some kind of escape_string
function.

Hope that helps!

Chris Angelico

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

strange use of %s Tracubik <affdfsdfdsfsd@b.com> - 2011-04-18 08:29 +0000
  Re: strange use of %s Tim Golden <mail@timgolden.me.uk> - 2011-04-18 09:44 +0100
    Re: strange use of %s John Nagle <nagle@animats.com> - 2011-04-25 15:01 -0700
      Re: strange use of %s Chris Angelico <rosuav@gmail.com> - 2011-04-26 08:10 +1000
  Re: strange use of %s Chris Angelico <rosuav@gmail.com> - 2011-04-18 18:50 +1000
  Re: strange use of %s Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2011-04-18 22:22 -0700
  Re: strange use of %s Chris Angelico <rosuav@gmail.com> - 2011-04-19 15:31 +1000
  Re: strange use of %s Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2011-04-19 21:01 -0700

csiph-web