Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #73597 > unrolled thread
| Started by | MRAB <python@mrabarnett.plus.com> |
|---|---|
| First post | 2014-06-26 00:29 +0100 |
| Last post | 2014-06-26 00:29 +0100 |
| Articles | 1 — 1 participant |
Back to article view | Back to comp.lang.python
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: protect psycopg script from sql injection? MRAB <python@mrabarnett.plus.com> - 2014-06-26 00:29 +0100
| From | MRAB <python@mrabarnett.plus.com> |
|---|---|
| Date | 2014-06-26 00:29 +0100 |
| Subject | Re: protect psycopg script from sql injection? |
| Message-ID | <mailman.11247.1403738987.18130.python-list@python.org> |
On 2014-06-25 22:58, celati Laurent wrote:
> Hello,
>
> I coded this following python script via psycopg;
>
> web_service_test.py
> <http://python.6.x6.nabble.com/file/n5062113/web_service_test.py>
>
> 1/ When i execute it, the result is 'bad resquest'. Could you tell me why?
>
> 2/ Could you tell me how to protect this script from SQL injections please?
>
In answer to question 2, don't insert the values into the query string
as you're doing here:
selectString = "SELECT ST_AsText(geom), cult_lib FROM rpg WHERE
ST_Intersects(SELECT ST_GeomFromText('POINT(%s %s)',2154), rpg)" % (x, y)
Instead, use the placeholder %s in the query string to indicate where a
values should go and then pass that query string and a tuple of the
values to the .execute method:
selectString = "SELECT ST_AsText(geom), cult_lib FROM rpg WHERE
ST_Intersects(SELECT ST_GeomFromText('POINT(%s %s)',2154), rpg)"
cur.execute(selectString, (x, y))
The database engine will insert the values itself, safely.
Back to top | Article view | comp.lang.python
csiph-web