Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.lang.python > #19882

Re: MySQLdb not allowing hyphen

Path csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!newsfeed.xs4all.nl!newsfeed5.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path <python-python-list@m.gmane.org>
X-Original-To python-list@python.org
Delivered-To python-list@mail.python.org
X-Spam-Status OK 0.000
X-Spam-Evidence '*H*': 1.00; '*S*': 0.00; 'escape': 0.04; 'example)': 0.07; '(there': 0.09; 'garbage': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; '(%s,': 0.16; '.execute()': 0.16; '>how': 0.16; 'bieber': 0.16; 'email addr:ix.netcom.com': 0.16; 'email name:wlfraed': 0.16; 'from:addr:ix.netcom.com': 0.16; 'from:addr:wlfraed': 0.16; 'from:name:dennis lee bieber': 0.16; 'message-id:@4ax.com': 0.16; 'quote.': 0.16; 'received:wlfraed': 0.16; 'subject:hyphen': 0.16; 'url:netcom': 0.16; 'url:wlfraed': 0.16; 'wulfraed': 0.16; 'mon,': 0.16; 'wrote:': 0.18; 'received:166': 0.18; 'wrap': 0.18; 'insert': 0.19; 'subject:not': 0.19; 'url:home': 0.21; 'feb': 0.22; 'string': 0.24; 'noticed': 0.26; 'all,': 0.27; 'value.': 0.28; 'problem': 0.29; '+0200,': 0.30; 'logic': 0.30; 'queries.': 0.30; 'error': 0.30; 'values': 0.32; "can't": 0.33; 'header:X-Complaints-To:1': 0.34; 'lee': 0.34; 'rather': 0.34; '"we': 0.34; 'safely': 0.34; 'to:addr :python-list': 0.35; 'something': 0.35; 'received:org': 0.36; 'but': 0.37; 'charset:us-ascii': 0.37; 'another': 0.37; 'characters': 0.39; 'to:addr:python.org': 0.40; 'your': 0.61; 'reviews': 0.66; 'was:': 0.67; 'dennis': 0.73; 'below:': 0.80; 'injection': 0.84
X-Injected-Via-Gmane http://gmane.org/
To python-list@python.org
From Dennis Lee Bieber <wlfraed@ix.netcom.com>
Subject Re: MySQLdb not allowing hyphen
Date Sun, 05 Feb 2012 18:23:12 -0500
References <CAOypoo5Y8cOB015ngO9K7UEqu0AEdRPGuhpzrjZuXjE+nbh-uw@mail.gmail.com>
Mime-Version 1.0
Content-Type text/plain; charset=us-ascii
Content-Transfer-Encoding 7bit
X-Gmane-NNTP-Posting-Host mobile-166-147-101-017.mycingular.net
X-Newsreader Forte Agent 6.00/32.1186
X-No-Archive YES
X-BeenThere python-list@python.org
X-Mailman-Version 2.1.12
Precedence list
List-Id General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive <http://mail.python.org/pipermail/python-list>
List-Post <mailto:python-list@python.org>
List-Help <mailto:python-list-request@python.org?subject=help>
List-Subscribe <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups comp.lang.python
Message-ID <mailman.5461.1328484217.27778.python-list@python.org> (permalink)
Lines 49
NNTP-Posting-Host 2001:888:2000:d::a6
X-Trace 1328484217 news.xs4all.nl 6844 [2001:888:2000:d::a6]:54703
X-Complaints-To abuse@xs4all.nl
Xref x330-a1.tempe.blueboxinc.net comp.lang.python:19882

Show key headers only | View raw


On Mon, 6 Feb 2012 00:41:24 +0200, Emeka <emekamicro@gmail.com> wrote:

>Hello All,
>
>I noticed that MySQLdb not allowing hyphen may be way to prevent injection
>attack.
	
	What hyphen?

>I have something like below:
>
>"insert into reviews(message, title)values('%s', '%s')" %( "We don't know
>where to go","We can't wait till morrow" )
>
	<snip>
>How do I work around this error?

	Very simple... DON'T QUOTE PLACEHOLDERS AND USE MySQLdb
parameterized queries.

csr.execute("insert into reviews (message, title) values (%s, %s)",
		(	"We don't know where to go",
			"We can't wait till <sic> morrow"	)	)

	The whole purpose of parameterized queries is that the .execute()
logic will SAFELY wrap the supplied values with quotes AND escape any
problem characters within the value.

	The reason you got an error was not a hyphen (there are no hyphens
in your example) but rather that you closed the quote. Your generated
SQL was:

insert into reviews (message, title) values ('We don't know where to
go', 'We can't wait till morrow')

which means a string of:
		"We don"
SQL garbage
		t know where to go
string
		", "
SQL garbage
		We can
and another string
		"t wait till morrow"
-- 
	Wulfraed                 Dennis Lee Bieber         AF6VN
        wlfraed@ix.netcom.com    HTTP://wlfraed.home.netcom.com/

Back to comp.lang.python | Previous | Next | Find similar | Unroll thread


Thread

Re: MySQLdb not allowing hyphen Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2012-02-05 18:23 -0500

csiph-web