|
Alberto Ruiz
al at ruiz.ws
Fri Mar 31 08:53:45 EST 2006
Never mind about the meta tag. It works after I added the
send_http_header() method.
On Fri, 2006-03-31 at 06:24 -0700, Alberto Ruiz wrote:
> I really appreciate all of your feedback and help a lot on resolving my
> issues. I agree with the coding problems, but did I miss it somewhere?
> Nobody addressed the issue why the meta tag is not being processed. The
> code was working fine on a Debian system as I mentioned in an earlier
> thread. I appreciate your patience, eventhough I'm a Python
> programmer, I didn't write the code or had any previous experience on
> writing web applications in Python. I'm just helping a frustrated
> friend who insists that the code was working before on a Debian system
> and now it is not on a Freebsd one.
>
>
>
>
> On Fri, 2006-03-31 at 07:44 -0500, Jim Gallacher wrote:
> > (Oops, let me try that again).
> >
> > Not directly related to your 500 error, but hopefully you'll find my
> > suggestions useful in improving your code.
> >
> > >> import time,random,string
> > >> global DATEBOX
> > >> from mod_python import Cookie
> > >>
> > >> def index (req,LLRuser='',LLRpw=''):
> > >> debugfile = open("/home/john/www/mydomain.com/debug.txt", "a")
> > >> debugfile.write("Begining of index function\n")
> > >> global R; R=req; R.content_type="text/html"
> >
> > Avoid putting multiple statements on one line, as it's not considered
> > good python style. Personally I think it's bad C style as well. In my
> > experience it makes it harder to track down bugs.
> >
> > >
> > > You should not store the request object in a global variable. If you
> > > ever move
> > > to mod_python 3.X and use a multithreaded MPM it will break as multiple
> > > threads may execute within the same module as the same time.
> > >
> > >> cur=DBconnectpropman.DB.cursor()
> > >> sidrefreshing=0
> > >> ZWF.R=R
> > >> global SID;SID=''
> > >> global UID;UID=''
> > >> cookies = Cookie.get_cookies(R, Cookie.MarshalCookie,
> > >> secret='LLR14222222')
> > >> if LLRuser!='' and LLRpw!='': # login attempt
> > >> if string.find(LLRuser,"@")!=-1: #client login attempt
> > >> cur.execute("select clientid,name,password from client where
> > >> email='"+LLRuser+"'")
> >
> > WARING! Potential sql injection attack.
> >
> > You are leaving yourself open to a sql injection attack. Never trust
> > user provided data. You can avoid this problem by letting the python DBI
> > do the work for you. This will properly escape the content of LLRuser:
> >
> > cur.execute("select clientid,name,password from client where email=%s"
> > ,LLRuser)
> >
> > Note that you don't need to enclose the %s in single quotes here. The
> > DBI takes care of it for you.
> >
> > >> x=random.randint(48,108)
> > >> if x>57:x+=8
> > >> if x>90:x+=6
> > >> SID+=chr(x)
> > >> cookie = Cookie.Cookie('sid', SID); cookie.expires =
> > >> time.time() +
> > >> 36000; Cookie.add_cookie(R, cookie)
> > >> q="update "+usertable+" set SID='"+SID+"' where
> > >> name='"+LLRuser+"'
> > >> and password='"+LLRpw+"'"
> >
> > This gets hard to read (and debug) with all the single and double quotes
> > mixed together. At a quick glance it's hard to differentiate the strings
> > from the variables. Try something like this:
> >
> > q = "update %s set SID = '%s' where name = '%s' and password = '%s'" %
> > (usertable, SID, LLRuser, LLRpw)
> >
> > Using "+" to concatenate strings is inefficient in python and generally
> > avoid. For short strings it's not likely an issue, but I just want to
> > make sure you are aware.
> >
> > Of course *using* q in a sql query still leaves you open to a sql
> > injection attack ;).
> >
> > Jim
> >
> >
> >
>
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
>
|