Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #3476

Re: strange use of %s

Path csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!aioe.org!feeder.news-service.com!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path <rosuav@gmail.com>
X-Original-To python-list@python.org
Delivered-To python-list@mail.python.org
X-Spam-Status OK 0.001
X-Spam-Evidence '*H*': 1.00; '*S*': 0.00; 'example:': 0.03; 'newbie': 0.03; 'context': 0.04; 'escape': 0.04; 'string.': 0.04; 'fine,': 0.07; 'sql.': 0.07; 'python': 0.07; '"current': 0.09; 'pm,': 0.11; 'syntax': 0.12; 'wrote:': 0.14; 'library': 0.15; '%s!"': 0.16; 'coder': 0.16; 'embed': 0.16; 'exploits': 0.16; 'instance:': 0.16; 'operator.': 0.16; 'printf-style': 0.16; 'progress:': 0.16; 'recipes': 0.16; 'signs': 0.16; 'string).': 0.16; 'track.': 0.16; 'code.': 0.18; 'otherwise,': 0.20; 'code,': 0.20; 'variable': 0.21; 'header:In-Reply-To:1': 0.22; 'mon,': 0.22; 'issues.': 0.23; 'appears': 0.24; 'url:wiki': 0.24; 'statement': 0.26; 'correct': 0.26; "i'm": 0.26; 'instead': 0.26; 'chris': 0.27; 'message- id:@mail.gmail.com': 0.28; 'supports': 0.29; 'string': 0.29; '(the': 0.30; 'consequence': 0.31; 'decimal': 0.31; 'strings.': 0.31; 'url:library': 0.31; 'all,': 0.31; 'to:addr:python-list': 0.32; 'asking': 0.32; "i've": 0.33; 'example,': 0.33; 'url:docs': 0.33; 'character': 0.33; 'using': 0.34; 'there': 0.35; 'purposes': 0.35; 'print': 0.35; 'url:en': 0.35; 'embedding': 0.35; 'function.': 0.35; 'like:': 0.35; 'quotes': 0.35; 'subject:use': 0.35; 'quite': 0.36; 'response': 0.36; 'some': 0.37; 'received:209.85': 0.37; 'url:python': 0.37; 'issue': 0.37; 'apr': 0.38; 'references': 0.38; 'received:google.com': 0.38; 'but': 0.38; 'url:org': 0.38; 'sign': 0.38; 'database': 0.38; 'set': 0.39; 'to:addr:python.org': 0.39; 'where': 0.39; 'received:209': 0.39; 'would': 0.40; "it's": 0.40; 'header:Received:5': 0.40; 'allows': 0.40; 'simple': 0.60; '2011': 0.62; 'full': 0.62; 'strange': 0.65; 'circle': 0.68; 'serious': 0.78; 'url:asp': 0.81; 'asterisk': 0.84; 'injection': 0.84; 'percentage,': 0.84; 'received:209.85.210.174': 0.84; 'received:mail- iy0-f174.google.com': 0.84
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=sZc4tEGhfAb3FQMH4tij9YtAhqiVmu/y+meIdmIwl60=; b=bZEzeAjJMXaOfc6IK3R75uHHKTfWgUfb3KEtqk1DR5j3pe4di7Cq7jK/2Y9ZHEUcRJ /WTJFoVuJQevZGEDaF6eiDrzU5NLuWRZ6cswGsTTTTVJfREtS2Jx3pN1A9Tx5D3dMf1x BR+jSgzJnXRXtJ2LGLmdq8zszBaETnUJ9wEDA=
DomainKey-Signature a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=dC/+SWh2kPSqiuYqGAKbMEKeF2hCfDtEGNCa+Lm4NxVvF/LPPnq55GSJ7UoYc0/Sk7 /IKwK3LPqXxxhUjgQqtKfYwU59mCe8XiMA+rZsiwe7uLsXvo7T89Ij3Nwvflxt3AO8tY a2W24nwMWHrOPyZ90q9vblLhpAxUM0br3dYtk=
MIME-Version 1.0
In-Reply-To <4dabf65a$0$18250$4fafbaef@reader2.news.tin.it>
References <4dabf65a$0$18250$4fafbaef@reader2.news.tin.it>
Date Mon, 18 Apr 2011 18:50:40 +1000
Subject Re: strange use of %s
From Chris Angelico <rosuav@gmail.com>
To python-list@python.org
Content-Type text/plain; charset=ISO-8859-1
X-BeenThere python-list@python.org
X-Mailman-Version 2.1.12
Precedence list
List-Id General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive <http://mail.python.org/pipermail/python-list>
List-Post <mailto:python-list@python.org>
List-Help <mailto:python-list-request@python.org?subject=help>
List-Subscribe <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups comp.lang.python
Message-ID <mailman.506.1303116643.9059.python-list@python.org> (permalink)
Lines 55
NNTP-Posting-Host 82.94.164.166
X-Trace 1303116643 news.xs4all.nl 81481 [::ffff:82.94.164.166]:54808
X-Complaints-To abuse@xs4all.nl
Xref x330-a1.tempe.blueboxinc.net comp.lang.python:3476

Show key headers only | View raw

On Mon, Apr 18, 2011 at 6:29 PM, Tracubik <affdfsdfdsfsd@b.com> wrote:
> Hi all,
> i'm reading a python tutorial in Ubuntu's Full Circle Magazine and i've
> found this strange use of %s:
>
> sql = "SELECT pkid,name,source,servings FROM Recipes WHERE name like '%%%s%
> %'" %response
>
> response is a string. I've newbie in sql.
>
> why do the coder use %%%s%% instead of a simple %s?
> why he also use the ''?

Python supports printf-style filling-in of strings. Simple example:

print "Hello, %s!" % "world"

You can also use %d for decimal numbers, %x for hex, and so on (%s
means string). One consequence of this is that the percent character
needs to be escaped - so to display a percentage, you would use
something like:

print "Current progress: %d %%" % 72

which will display "Current progress: 72 %". The percent sign outside
the quotes is the operator.

In the SQL example, the response is bracketed by percent signs. So if
response is "beef", the sql variable will be set to "SELECT
pkid,name,source,servings FROM Recipes WHERE name like '%beef%" -
which is the correct SQL syntax to search for the string 'beef'
anywhere inside the name (the percent signs there are like an asterisk
in a glob).

See for instance:
http://docs.python.org/library/stdtypes.html#string-formatting-operations
http://www.w3schools.com/sql/sql_like.asp

There's a serious issue in this code, in that it allows dodgy
responses to embed SQL code. I don't know what your context is, but
embedding what appears to be a user-provided response unsanitized into
an SQL statement is asking for SQL injection exploits down the track.

http://en.wikipedia.org/wiki/SQL_injection

If it's just a toy for demonstrative purposes that's fine, but it's
good to be aware of these issues. Check out the library you're using
for database access; it's quite possible that you'll be able to embed
variable references in a different way, and let the library escape
them for you - otherwise, look for some kind of escape_string
function.

Hope that helps!

Chris Angelico

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

strange use of %s Tracubik <affdfsdfdsfsd@b.com> - 2011-04-18 08:29 +0000
  Re: strange use of %s Tim Golden <mail@timgolden.me.uk> - 2011-04-18 09:44 +0100
    Re: strange use of %s John Nagle <nagle@animats.com> - 2011-04-25 15:01 -0700
      Re: strange use of %s Chris Angelico <rosuav@gmail.com> - 2011-04-26 08:10 +1000
  Re: strange use of %s Chris Angelico <rosuav@gmail.com> - 2011-04-18 18:50 +1000
  Re: strange use of %s Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2011-04-18 22:22 -0700
  Re: strange use of %s Chris Angelico <rosuav@gmail.com> - 2011-04-19 15:31 +1000
  Re: strange use of %s Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2011-04-19 21:01 -0700

csiph-web