Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!newsfeed.xs4all.nl!newsfeed5.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.000 X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'escape': 0.04; 'example)': 0.07; '(there': 0.09; 'garbage': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; '(%s,': 0.16; '.execute()': 0.16; '>how': 0.16; 'bieber': 0.16; 'email addr:ix.netcom.com': 0.16; 'email name:wlfraed': 0.16; 'from:addr:ix.netcom.com': 0.16; 'from:addr:wlfraed': 0.16; 'from:name:dennis lee bieber': 0.16; 'message-id:@4ax.com': 0.16; 'quote.': 0.16; 'received:wlfraed': 0.16; 'subject:hyphen': 0.16; 'url:netcom': 0.16; 'url:wlfraed': 0.16; 'wulfraed': 0.16; 'mon,': 0.16; 'wrote:': 0.18; 'received:166': 0.18; 'wrap': 0.18; 'insert': 0.19; 'subject:not': 0.19; 'url:home': 0.21; 'feb': 0.22; 'string': 0.24; 'noticed': 0.26; 'all,': 0.27; 'value.': 0.28; 'problem': 0.29; '+0200,': 0.30; 'logic': 0.30; 'queries.': 0.30; 'error': 0.30; 'values': 0.32; "can't": 0.33; 'header:X-Complaints-To:1': 0.34; 'lee': 0.34; 'rather': 0.34; '"we': 0.34; 'safely': 0.34; 'to:addr :python-list': 0.35; 'something': 0.35; 'received:org': 0.36; 'but': 0.37; 'charset:us-ascii': 0.37; 'another': 0.37; 'characters': 0.39; 'to:addr:python.org': 0.40; 'your': 0.61; 'reviews': 0.66; 'was:': 0.67; 'dennis': 0.73; 'below:': 0.80; 'injection': 0.84 X-Injected-Via-Gmane: http://gmane.org/ To: python-list@python.org From: Dennis Lee Bieber Subject: Re: MySQLdb not allowing hyphen Date: Sun, 05 Feb 2012 18:23:12 -0500 References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Gmane-NNTP-Posting-Host: mobile-166-147-101-017.mycingular.net X-Newsreader: Forte Agent 6.00/32.1186 X-No-Archive: YES X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 49 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1328484217 news.xs4all.nl 6844 [2001:888:2000:d::a6]:54703 X-Complaints-To: abuse@xs4all.nl Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:19882 On Mon, 6 Feb 2012 00:41:24 +0200, Emeka wrote: >Hello All, > >I noticed that MySQLdb not allowing hyphen may be way to prevent injection >attack. What hyphen? >I have something like below: > >"insert into reviews(message, title)values('%s', '%s')" %( "We don't know >where to go","We can't wait till morrow" ) > >How do I work around this error? Very simple... DON'T QUOTE PLACEHOLDERS AND USE MySQLdb parameterized queries. csr.execute("insert into reviews (message, title) values (%s, %s)", ( "We don't know where to go", "We can't wait till morrow" ) ) The whole purpose of parameterized queries is that the .execute() logic will SAFELY wrap the supplied values with quotes AND escape any problem characters within the value. The reason you got an error was not a hyphen (there are no hyphens in your example) but rather that you closed the quote. Your generated SQL was: insert into reviews (message, title) values ('We don't know where to go', 'We can't wait till morrow') which means a string of: "We don" SQL garbage t know where to go string ", " SQL garbage We can and another string "t wait till morrow" -- Wulfraed Dennis Lee Bieber AF6VN wlfraed@ix.netcom.com HTTP://wlfraed.home.netcom.com/