Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #48537 > unrolled thread

Updating a filename's counter value failed each time

Back to article view | Back to comp.lang.python

Contents

  Updating a filename's counter value failed each time Simpleton <support@superhost.gr> - 2013-06-17 19:39 +0300
    Re: Updating a filename's counter value failed each time MRAB <python@mrabarnett.plus.com> - 2013-06-17 18:40 +0100
      Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-17 20:51 +0300
    Re: Updating a filename's counter value failed each time John Gordon <gordon@panix.com> - 2013-06-17 17:40 +0000
    Re: Updating a filename's counter value failed each time jt@toerring.de (Jens Thoms Toerring) - 2013-06-17 17:54 +0000
      Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-17 21:06 +0300
        Re: Updating a filename's counter value failed each time jt@toerring.de (Jens Thoms Toerring) - 2013-06-17 18:32 +0000
          Re: Updating a filename's counter value failed each time MRAB <python@mrabarnett.plus.com> - 2013-06-17 19:47 +0100
            Re: Updating a filename's counter value failed each time jt@toerring.de (Jens Thoms Toerring) - 2013-06-17 19:16 +0000
              Re: Updating a filename's counter value failed each time Alister <alister.ware@ntlworld.com> - 2013-06-17 20:33 +0000
        Re: Updating a filename's counter value failed each time Alister <alister.ware@ntlworld.com> - 2013-06-17 19:05 +0000
          Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-17 22:30 +0300
            Re: Updating a filename's counter value failed each time Alister <alister.ware@ntlworld.com> - 2013-06-17 20:26 +0000
              Re: Updating a filename's counter value failed each time Alister <alister.ware@ntlworld.com> - 2013-06-17 20:43 +0000
      Re: Updating a filename's counter value failed each time Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-06-17 19:30 -0400
        Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-18 03:25 +0300
    Re: Updating a filename's counter value failed each time John Gordon <gordon@panix.com> - 2013-06-17 19:19 +0000
      Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-17 22:28 +0300
        Re: Updating a filename's counter value failed each time Alister <alister.ware@ntlworld.com> - 2013-06-17 20:39 +0000
          Re: Updating a filename's counter value failed each time John Gordon <gordon@panix.com> - 2013-06-17 20:44 +0000
            Re: Updating a filename's counter value failed each time Alister <alister.ware@ntlworld.com> - 2013-06-17 20:49 +0000
            Re: Updating a filename's counter value failed each time MRAB <python@mrabarnett.plus.com> - 2013-06-17 23:22 +0100
              Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-18 02:11 +0300
                Re: Updating a filename's counter value failed each time Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-06-17 21:42 -0400
                  Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-18 08:49 +0300
                    Re: Updating a filename's counter value failed each time Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-06-18 19:56 -0400
                Re: Updating a filename's counter value failed each time Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-06-17 22:01 -0400
    Re: Updating a filename's counter value failed each time Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-06-17 23:18 +0000
    Re: Updating a filename's counter value failed each time Νίκος <support@superhost.gr> - 2013-06-18 03:22 +0300

Page 1 of 2  [1] 2  Next page →

#48537 — Updating a filename's counter value failed each time

Hello again, something simple this time:

After a user selects a file from the form, that sleection of his can be 
found form reading the variable 'filename'

If the filename already exists in to the database i want to update its 
counter and that is what i'm trying to accomplish by:

-----------
if form.getvalue('filename'):
	cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit = 
%s WHERE url = %s''', (host, lastvisit, filename) )
-----------

For some reason this never return any data, because for troubleshooting 
i have tried:

-----------------
data = cur.fetchone()

if data:
	print("something been returned out of this"_
----------------

Since for sure the filename the user selected is represented by a record 
inside 'files' table why its corresponding counter never seems to get 
updated?

Thank you.
-- 
What is now proved was at first only imagined!

[toc] | [next] | [standalone]

#48541

On 17/06/2013 17:39, Simpleton wrote:
> Hello again, something simple this time:
>
> After a user selects a file from the form, that sleection of his can be
> found form reading the variable 'filename'
>
> If the filename already exists in to the database i want to update its
> counter and that is what i'm trying to accomplish by:
>
> -----------
> if form.getvalue('filename'):
> 	cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit =
> %s WHERE url = %s''', (host, lastvisit, filename) )
> -----------
>
> For some reason this never return any data, because for troubleshooting
> i have tried:
>
> -----------------
> data = cur.fetchone()
>
> if data:
> 	print("something been returned out of this"_
> ----------------
>
> Since for sure the filename the user selected is represented by a record
> inside 'files' table why its corresponding counter never seems to get
> updated?
>
You say "for sure". Really? Then why isn't it working as you expect?

When it comes to debugging, """assumption is the mother of all
****-ups""" [insert relevant expletive for "****"].

Assume nothing.

What is the value of 'filename'?

What are the entries in the 'files' table?

Print them out, for example:

     print("filename is", ascii(filename))

or write them into a log file and then look at them.

[toc] | [prev] | [next] | [standalone]

#48545

On 17/6/2013 8:40 μμ, MRAB wrote:
> On 17/06/2013 17:39, Simpleton wrote:
>> Hello again, something simple this time:
>>
>> After a user selects a file from the form, that sleection of his can be
>> found form reading the variable 'filename'
>>
>> If the filename already exists in to the database i want to update its
>> counter and that is what i'm trying to accomplish by:
>>
>> -----------
>> if form.getvalue('filename'):
>>     cur.execute('''UPDATE files SET hits = hits + 1, host = %s,
>> lastvisit =
>> %s WHERE url = %s''', (host, lastvisit, filename) )
>> -----------
>>
>> For some reason this never return any data, because for troubleshooting
>> i have tried:
>>
>> -----------------
>> data = cur.fetchone()
>>
>> if data:
>>     print("something been returned out of this"_
>> ----------------
>>
>> Since for sure the filename the user selected is represented by a record
>> inside 'files' table why its corresponding counter never seems to get
>> updated?
>>
> You say "for sure". Really? Then why isn't it working as you expect?
>
> When it comes to debugging, """assumption is the mother of all
> ****-ups""" [insert relevant expletive for "****"].
>
> Assume nothing.
>
> What is the value of 'filename'?
>
> What are the entries in the 'files' table?
>
> Print them out, for example:
>
>      print("filename is", ascii(filename))
>
> or write them into a log file and then look at them.
>
Yes i have tried to print it and correct.
for example i have selected a filename just now from

filename is Σκέψου έναν αριθμό.exe

he is the actual filenames valeus from database:

http://i.imgur.com/GxIMW4C.png


Seems like the value of the database isnt being matched with the 
'filename' var's value that why the update never return any data.
i wonder why the update never happens!

-- 
What is now proved was at first only imagined!

[toc] | [prev] | [next] | [standalone]

#48542

In <kpne3k$1066$1@news.ntua.gr> Simpleton <support@superhost.gr> writes:

> Hello again, something simple this time:

> After a user selects a file from the form, that sleection of his can be 
> found form reading the variable 'filename'

> If the filename already exists in to the database i want to update its 
> counter and that is what i'm trying to accomplish by:

> -----------
> if form.getvalue('filename'):
> 	cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit = 
> %s WHERE url = %s''', (host, lastvisit, filename) )
> -----------

> For some reason this never return any data, because for troubleshooting 
> i have tried:

> -----------------
> data = cur.fetchone()

> if data:
> 	print("something been returned out of this"_
> ----------------

An UPDATE statement isn't a query.  There are no results to be fetched.
If you want to get results, execute a query (usually a SELECT.)

Also, that print statement is an obvious syntax error.  Please post
the actual code you're running; don't type it in from memory.

-- 
John Gordon                   A is for Amy, who fell down the stairs
gordon@panix.com              B is for Basil, assaulted by bears
                                -- Edward Gorey, "The Gashlycrumb Tinies"

[toc] | [prev] | [next] | [standalone]

#48547

In article <kpne3k$1066$1@news.ntua.gr> you wrote:
> After a user selects a file from the form, that sleection of his can be 
> found form reading the variable 'filename'

> If the filename already exists in to the database i want to update its 
> counter and that is what i'm trying to accomplish by:

> -----------
> if form.getvalue('filename'):
>         cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit = 
> %s WHERE url = %s''', (host, lastvisit, filename) )

There are (single) quotes missing around (at least) the file
name (the 'url' column) which I'm rather sure is a string -
you need them around all strings you use in SQL statements.

I don't know which database and interface you're using but I would
guess that many have the ability to inserting quotes where neces-
sary etc. E.g. with sqlite3 you would use

   cur.execute('UPDATE files SET hits = hits + 1, host = ?, lastvisit = ? '
               'WHERE url = ?', (host, lastvisit, filename) )

and the quotes required around (at least) the 'filename' string
will be inserted automatically.

Also take care to check the filename you insert - a malicous
user might cobble together a file name that is actually a SQL
statement and then do nasty things to your database. I.e. never
insert values you received from a user without checking them.

> For some reason this never return any data, because for troubleshooting 
> i have tried:

> data = cur.fetchone()

There's nothing that your SQL statement (if correct) would return,
so what do you expect to have returned by the fetchone() method?

Perhaps there's something like the 'rowcount' property in sqlite3
which returns the number of rows modified by an INSERT or UPDATE.

> Since for sure the filename the user selected is represented by a record 
> inside 'files' table why its corresponding counter never seems to get 
> updated?

I would guess because you forgot the uotes around string
values in your SQL statement which thus wasn't executed.

                          Regards, Jens
-- 
  \   Jens Thoms Toerring  ___      jt@toerring.de
   \__________________________      http://toerring.de

[toc] | [prev] | [next] | [standalone]

#48550

On 17/6/2013 8:54 μμ, Jens Thoms Toerring wrote:
> Also take care to check the filename you insert - a malicous
> user might cobble together a file name that is actually a SQL
> statement and then do nasty things to your database. I.e. never
> insert values you received from a user without checking them.

Yes in generally user iput validation is needed always, but here here 
the filename being selected is from an html table list of filenames.

But i take it you eman that someone might tried it to pass a bogus 
"filename" value from the url like:

http://superhost.gr/cgi-bin/files.py?filename="Select....."

Si that what you mean?

But the comma inside the execute statement doesn't protect me from such 
actions opposed when i was using a substitute operator?

> I would guess because you forgot the uotes around string
> values in your SQL statement which thus wasn't executed.

i tried you suggestions:

cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit = 
%s WHERE url = "%s"''', (host, lastvisit, filename) )

seems the same as:

cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit = 
%s WHERE url = %s''', (host, lastvisit, filename) )

since everything is tripled quoted already what would the difference be 
in "%s" opposed to plain %s ?

-- 
What is now proved was at first only imagined!

[toc] | [prev] | [next] | [standalone]

#48551

Νίκος <support@superhost.gr> wrote:
> On 17/6/2013 8:54 μμ, Jens Thoms Toerring wrote:
> > Also take care to check the filename you insert - a malicous
> > user might cobble together a file name that is actually a SQL
> > statement and then do nasty things to your database. I.e. never
> > insert values you received from a user without checking them.

> Yes in generally user iput validation is needed always, but here here 
> the filename being selected is from an html table list of filenames.

> But i take it you eman that someone might tried it to pass a bogus 
> "filename" value from the url like:

> http://superhost.gr/cgi-bin/files.py?filename="Select....."

> Si that what you mean?

Well, you neer wrote where this filename is coming from.
so all I could assume was that the user can enter a more
or less random file name. If he only can select one from
a list you put together there's probably less of a problem.

> But the comma inside the execute statement doesn't protect me from such 
> actions opposed when i was using a substitute operator?

> > I would guess because you forgot the uotes around string
> > values in your SQL statement which thus wasn't executed.

> i tried you suggestions:

> cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit = 
> %s WHERE url = "%s"''', (host, lastvisit, filename) )

> seems the same as:

> cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit = 
> %s WHERE url = %s''', (host, lastvisit, filename) )

> since everything is tripled quoted already what would the difference be 
> in "%s" opposed to plain %s ?

As I wrote you need *single* quotes around strings in
SQL statements. Double quotes won't do - this is SQL
and not Python so you're dealing with a different lan-
guage and thus different rules apply. The triple single
quotes are seen by Python, but SQL needs its own.

                        Regards, Jens
-- 
  \   Jens Thoms Toerring  ___      jt@toerring.de
   \__________________________      http://toerring.de

[toc] | [prev] | [next] | [standalone]

#48552

On 17/06/2013 19:32, Jens Thoms Toerring wrote:
> Νίκος <support@superhost.gr> wrote:
>> On 17/6/2013 8:54 μμ, Jens Thoms Toerring wrote:
>> > Also take care to check the filename you insert - a malicous
>> > user might cobble together a file name that is actually a SQL
>> > statement and then do nasty things to your database. I.e. never
>> > insert values you received from a user without checking them.
>
>> Yes in generally user iput validation is needed always, but here here
>> the filename being selected is from an html table list of filenames.
>
>> But i take it you eman that someone might tried it to pass a bogus
>> "filename" value from the url like:
>
>> http://superhost.gr/cgi-bin/files.py?filename="Select....."
>
>> Si that what you mean?
>
> Well, you neer wrote where this filename is coming from.
> so all I could assume was that the user can enter a more
> or less random file name. If he only can select one from
> a list you put together there's probably less of a problem.
>
>> But the comma inside the execute statement doesn't protect me from such
>> actions opposed when i was using a substitute operator?
>
>> > I would guess because you forgot the uotes around string
>> > values in your SQL statement which thus wasn't executed.
>
>> i tried you suggestions:
>
>> cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit =
>> %s WHERE url = "%s"''', (host, lastvisit, filename) )
>
>> seems the same as:
>
>> cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit =
>> %s WHERE url = %s''', (host, lastvisit, filename) )
>
>> since everything is tripled quoted already what would the difference be
>> in "%s" opposed to plain %s ?
>
> As I wrote you need *single* quotes around strings in
> SQL statements. Double quotes won't do - this is SQL
> and not Python so you're dealing with a different lan-
> guage and thus different rules apply. The triple single
> quotes are seen by Python, but SQL needs its own.
>
The query looks safe to me as he _is_ using a parametrised query.

[toc] | [prev] | [next] | [standalone]

#48554

MRAB <python@mrabarnett.plus.com> wrote:
> On 17/06/2013 19:32, Jens Thoms Toerring wrote:
> > As I wrote you need *single* quotes around strings in
> > SQL statements. Double quotes won't do - this is SQL
> > and not Python so you're dealing with a different lan-
> > guage and thus different rules apply. The triple single
> > quotes are seen by Python, but SQL needs its own.
> >
> The query looks safe to me as he _is_ using a parametrised query.

Perhaps - the OP never told which API (or database) he
is using. What about some API that simply connects the
first argument of exxecute() with the second with just
a simple '%' to construct the string for the SQL state-
ment? In that case there would be no single quotes a-
round strings, or would there?

                           Regards, Jens
-- 
  \   Jens Thoms Toerring  ___      jt@toerring.de
   \__________________________      http://toerring.de

[toc] | [prev] | [next] | [standalone]

#48560

On Mon, 17 Jun 2013 19:16:02 +0000, Jens Thoms Toerring wrote:

> MRAB <python@mrabarnett.plus.com> wrote:
>> On 17/06/2013 19:32, Jens Thoms Toerring wrote:
>> > As I wrote you need *single* quotes around strings in SQL statements.
>> > Double quotes won't do - this is SQL and not Python so you're dealing
>> > with a different lan- guage and thus different rules apply. The
>> > triple single quotes are seen by Python, but SQL needs its own.
>> >
>> The query looks safe to me as he _is_ using a parametrised query.
> 
> Perhaps - the OP never told which API (or database) he is using. What
> about some API that simply connects the first argument of exxecute()
> with the second with just a simple '%' to construct the string for the
> SQL state-
> ment? In that case there would be no single quotes a- round strings, or
> would there?
> 
>                            Regards, Jens

Do you know of any python DB module that acts this way?

if you do then that module does not conform to the python DB-API (PEP 
249) & should be avoided.

whilst erring on the side of caution is commendable, Nicos is having 
enough problems without confusing him further.



-- 
Today you'll start getting heavy metal radio on your dentures.

[toc] | [prev] | [next] | [standalone]

#48553

On Mon, 17 Jun 2013 21:06:16 +0300, Νίκος wrote:
> 
> But the comma inside the execute statement doesn't protect me from such
> actions opposed when i was using a substitute operator?

You are correct Nicos, passing the values as a parameter list does 
protect you from SQL injection JT has made an error.
> 
>> I would guess because you forgot the uotes around string values in your
>> SQL statement which thus wasn't executed.
> 
> i tried you suggestions:
> 
> cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit =
> %s WHERE url = "%s"''', (host, lastvisit, filename) )
> 
> seems the same as:
> 
> cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit =
> %s WHERE url = %s''', (host, lastvisit, filename) )
> 
> since everything is tripled quoted already what would the difference be
> in "%s" opposed to plain %s ?

As already noted JT made an error in assuming you were using string 
substitution & not passing parameters the quotes are not required & will 
case errors.

as to your problem you have already been advised that update does not 
generate any returned data.
to see the data you need to issue a select.

to make debugging easier I suggest you need to use an easier way to see 
what is happening in the database
assuming you are using mysql then phpmyadmin may help

also as i have previously suggested it would be wise to keep this system 
off the internet untill you are satisfied it is working correctly & 
secure.
  



-- 
If God had really intended men to fly, he'd make it easier to get to the
airport.
		-- George Winters

[toc] | [prev] | [next] | [standalone]

#48557

On 17/6/2013 10:05 μμ, Alister wrote:
> You are correct Nicos, passing the values as a parameter list does
> protect you from SQL injection JT has made an error.

Even if the query is somehting like:

http://superhost.gr/cgi-bin/files.py?filename="Select....."

 From what exactly the comma protects me for?

What id=f the user passes data to filename variable throgh url?
Will comma understand that?
How can it tell form a normal filename opposes to a select statemnt 
acting as a filename value?



-- 
What is now proved was at first only imagined!

[toc] | [prev] | [next] | [standalone]

#48559

On Mon, 17 Jun 2013 22:30:57 +0300, Νίκος wrote:

> On 17/6/2013 10:05 μμ, Alister wrote:
>> You are correct Nicos, passing the values as a parameter list does
>> protect you from SQL injection JT has made an error.
> 
> Even if the query is somehting like:
> 
> http://superhost.gr/cgi-bin/files.py?filename="Select....."
> 
>  From what exactly the comma protects me for?
> 
> What id=f the user passes data to filename variable throgh url? Will
> comma understand that?
> How can it tell form a normal filename opposes to a select statemnt
> acting as a filename value?

this is because the execute method is written to escape the contents of 
the parameter list.
if you want more information you really do need to read either the 
documentation or a good tutorial which would explain things far better 
than I can 

otherwise prove it to yourself by creating a dummy database & trying it

Make sure you are NOT using your production database so you do not risk 
any real data


-- 
Being a BALD HERO is almost as FESTIVE as a TATTOOED KNOCKWURST.

[toc] | [prev] | [next] | [standalone]

#48562

On Mon, 17 Jun 2013 20:26:57 +0000, Alister wrote:

> On Mon, 17 Jun 2013 22:30:57 +0300, Νίκος wrote:
> 
>> On 17/6/2013 10:05 μμ, Alister wrote:
>>> You are correct Nicos, passing the values as a parameter list does
>>> protect you from SQL injection JT has made an error.
>> 
>> Even if the query is somehting like:
>> 
>> http://superhost.gr/cgi-bin/files.py?filename="Select....."
>> 
>>  From what exactly the comma protects me for?
>> 
>> What id=f the user passes data to filename variable throgh url? Will
>> comma understand that?
>> How can it tell form a normal filename opposes to a select statemnt
>> acting as a filename value?
> 
> this is because the execute method is written to escape the contents of
> the parameter list.
> if you want more information you really do need to read either the
> documentation or a good tutorial which would explain things far better
> than I can
> 
> otherwise prove it to yourself by creating a dummy database & trying it
> 
> Make sure you are NOT using your production database so you do not risk
> any real data


Some very crude code using sqlite to demonstrate the principle (sqlite 
uses ? as a wild card instead of %s):

import sqlite3 as sql

db=sql.connect(':memory:')

makedb="CREATE TABLE `TEST` (data text)"
cursor=db.cursor()
cursor.execute(makedb)
gooddata="safe text"
baddata ="');drop table TEST"
cursor.execute("INSERT INTO TEST VALUES (?)",[baddata])
cursor.execute('SELECT * from TEST')
print cursor.fetchall()
cursor.execute("INSERT INTO TEST VALUES ('%s')"%gooddata)
cursor.execute('SELECT * from TEST')
print cursor.fetchall()
cursor.execute("INSERT INTO TEST VALUES ('%s')"%baddata)
cursor.execute('SELECT * from TEST')
print cursor.fetchall()

the 1st 2 inserts will both work & reasonable data will be printed.
the 2nd will fail because sqlite does not allow multiple commands to be 
chained, if this was run in mysql then the table test would be deleted
-- 
"For a male and female to live continuously together is...  biologically 
speaking, an extremely unnatural condition."
-- Robert Briffault

[toc] | [prev] | [next] | [standalone]

#48578

On 17 Jun 2013 17:54:33 GMT, jt@toerring.de (Jens Thoms Toerring) declaimed
the following:

>In article <kpne3k$1066$1@news.ntua.gr> you wrote:
>> After a user selects a file from the form, that sleection of his can be 
>> found form reading the variable 'filename'
>
>> If the filename already exists in to the database i want to update its 
>> counter and that is what i'm trying to accomplish by:
>
>> -----------
>> if form.getvalue('filename'):
>>         cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit = 
>> %s WHERE url = %s''', (host, lastvisit, filename) )
>
>There are (single) quotes missing around (at least) the file
>name (the 'url' column) which I'm rather sure is a string -
>you need them around all strings you use in SQL statements.
>
	No he doesn't... The db-api adapter is responsible for properly
handling parameterized queries.

	In the case of MySQLdb -- IT will wrap each argument with quotes, along
with escaping any special characters.

	This is also why one can NOT pass schema entities (table/field names)
to a parameterized query -- the adapter "safes" them which results in them
no longer being valid schema items.

	NONE of the db-api adapters I've used require one to put quotes into
the query template.

	Your statement would be correct IF one were using Python string
interpolation to fill in the query.
-- 
	Wulfraed                 Dennis Lee Bieber         AF6VN
    wlfraed@ix.netcom.com    HTTP://wlfraed.home.netcom.com/

[toc] | [prev] | [next] | [standalone]

#48580

Στις 18/6/2013 2:30 πμ, ο/η Dennis Lee Bieber έγραψε:
> 	In the case of MySQLdb -- IT will wrap each argument with quotes, along
> with escaping any special characters.



Even if the query is something like:

http://superhost.gr/cgi-bin/files.py?filename="Select....."

 From what exactly the comma protects me for?

What id=f the user passes data to filename variable through url?
Will comma understand that?
How can it tell form a normal filename opposes to a select statement 
acting as a filename value?

-- 
What is now proved was at first only imagined!

[toc] | [prev] | [next] | [standalone]

#48555

In <kpne3k$1066$1@news.ntua.gr> Simpleton <support@superhost.gr> writes:

> if form.getvalue('filename'):
> 	cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit = 
> %s WHERE url = %s''', (host, lastvisit, filename) )

Add an 'else' statement above that prints something, so you will at least
know if the UPDATE statement is ever executed.

Print the cur.rowcount attribute, which contains the number of rows that
were affected by the update.  If it's zero, that should tell you something.

-- 
John Gordon                   A is for Amy, who fell down the stairs
gordon@panix.com              B is for Basil, assaulted by bears
                                -- Edward Gorey, "The Gashlycrumb Tinies"

[toc] | [prev] | [next] | [standalone]

#48556

On 17/6/2013 10:19 μμ, John Gordon wrote:
> Print the cur.rowcount attribute, which contains the number of rows that
> were affected by the update.  If it's zero, that should tell you something.


#update file's counter if cookie does not exist
cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit = 
%s WHERE url = %s''', (host, lastvisit, filename) )

if cur.rowcount:
		print( " database has been affected" )

indeed every time i select afilename the message gets printed bu then 
again noticing the database via phpmyadmin the filename counter is 
always remaining 0, and not added by +1

-- 
What is now proved was at first only imagined!

[toc] | [prev] | [next] | [standalone]

#48561

On Mon, 17 Jun 2013 22:28:47 +0300, Νίκος wrote:

> On 17/6/2013 10:19 μμ, John Gordon wrote:
>> Print the cur.rowcount attribute, which contains the number of rows
>> that were affected by the update.  If it's zero, that should tell you
>> something.
> 
> 
> #update file's counter if cookie does not exist cur.execute('''UPDATE
> files SET hits = hits + 1, host = %s, lastvisit =
> %s WHERE url = %s''', (host, lastvisit, filename) )
> 
> if cur.rowcount:
> 		print( " database has been affected" )
> 
> indeed every time i select afilename the message gets printed bu then
> again noticing the database via phpmyadmin the filename counter is
> always remaining 0, and not added by +1

replase
 if cur.rowcount:
 		print( " database has been affected" )

with print cur.rowcount()

you can also use phpmyadmin to try your sql queries interactively to 
check the perform as expected before putting them into your code

-- 
Warp 7 -- It's a law we can live with.

[toc] | [prev] | [next] | [standalone]

#48563

In <MtKvt.47400$ja6.35986@fx18.am4> Alister <alister.ware@ntlworld.com> writes:

> > #update file's counter if cookie does not exist cur.execute('''UPDATE
> > files SET hits = hits + 1, host = %s, lastvisit =
> > %s WHERE url = %s''', (host, lastvisit, filename) )
> > 
> > if cur.rowcount:
> > 		print( " database has been affected" )
> > 
> > indeed every time i select afilename the message gets printed bu then
> > again noticing the database via phpmyadmin the filename counter is
> > always remaining 0, and not added by +1

> replase
>  if cur.rowcount:
>  		print( " database has been affected" )

> with print cur.rowcount()

rowcount isn't a method call; it's just an attribute.  You don't need
the parentheses.

-- 
John Gordon                   A is for Amy, who fell down the stairs
gordon@panix.com              B is for Basil, assaulted by bears
                                -- Edward Gorey, "The Gashlycrumb Tinies"

[toc] | [prev] | [next] | [standalone]

Page 1 of 2  [1] 2  Next page →

Back to top | Article view | comp.lang.python

csiph-web