Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #19879 > unrolled thread
| Started by | Chris Rebert <clp2@rebertia.com> |
|---|---|
| First post | 2012-02-05 14:46 -0800 |
| Last post | 2012-02-08 11:41 -0800 |
| Articles | 2 — 2 participants |
Back to article view | Back to comp.lang.python
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: MySQLdb not allowing hyphen Chris Rebert <clp2@rebertia.com> - 2012-02-05 14:46 -0800
Re: MySQLdb not allowing hyphen John Nagle <nagle@animats.com> - 2012-02-08 11:41 -0800
| From | Chris Rebert <clp2@rebertia.com> |
|---|---|
| Date | 2012-02-05 14:46 -0800 |
| Subject | Re: MySQLdb not allowing hyphen |
| Message-ID | <mailman.5458.1328481998.27778.python-list@python.org> |
On Sun, Feb 5, 2012 at 2:41 PM, Emeka <emekamicro@gmail.com> wrote:
>
> Hello All,
>
> I noticed that MySQLdb not allowing hyphen may be way to prevent injection
> attack.
> I have something like below:
>
> "insert into reviews(message, title)values('%s', '%s')" %( "We don't know
> where to go","We can't wait till morrow" )
>
> ProgrammingError(1064, "You have an error in your SQL syntax; check the
> manual that corresponds to your MySQL server version for the right syntax to
> use near 't know where to go.
>
> How do I work around this error?
Don't use raw SQL strings in the first place. Use a proper
parameterized query, e.g.:
cursor.execute("insert into reviews(message, title) values (%s, %s)",
("We don't know where to go", "We can't wait till morrow"))
Cheers,
Chris
[toc] | [next] | [standalone]
| From | John Nagle <nagle@animats.com> |
|---|---|
| Date | 2012-02-08 11:41 -0800 |
| Message-ID | <4f32cff3$0$12030$742ec2ed@news.sonic.net> |
| In reply to | #19879 |
On 2/5/2012 2:46 PM, Chris Rebert wrote:
> On Sun, Feb 5, 2012 at 2:41 PM, Emeka<emekamicro@gmail.com> wrote:
>>
>> Hello All,
>>
>> I noticed that MySQLdb not allowing hyphen may be way to prevent injection
>> attack.
>> I have something like below:
>>
>> "insert into reviews(message, title)values('%s', '%s')" %( "We don't know
>> where to go","We can't wait till morrow" )
>>
>> ProgrammingError(1064, "You have an error in your SQL syntax; check the
>> manual that corresponds to your MySQL server version for the right syntax to
>> use near 't know where to go.
>>
>> How do I work around this error?
>
> Don't use raw SQL strings in the first place. Use a proper
> parameterized query, e.g.:
>
> cursor.execute("insert into reviews(message, title) values (%s, %s)",
> ("We don't know where to go", "We can't wait till morrow"))
Yes. You are doing it wrong. Do NOT use the "%" operator when
putting SQL queries together. Let "cursor.execute" fill them
in. It knows how to escape special characters in the input fields,
which will fix your bug and prevent SQL injection.
John Nagle
[toc] | [prev] | [standalone]
Back to top | Article view | comp.lang.python
csiph-web