|
Wouter van Marle
wouter at squirrel-systems.com
Wed May 17 11:53:23 EDT 2006
On Wed, 2006-05-17 at 11:46 -0400, Jim Gallacher wrote:
> Wouter van Marle wrote:
> > Dear Deron,
> >
> > Thank you for the comments. I understand your ideas; unfortunately it
> > does not solve my problem.
> >
> > The info I get from another website, this origin gives me the info in
> > the ampersand form (that third party site is a Netscape server by the
> > way! Didn't know they are still in use, very remarkable). And I like
> > that.
> > The main reason to continue using that format is the " (double-quotes)
> > and ' (single quotes). These characters are used in the data that I try
> > to store in the mysql base, and that fantastically messes up with the
> > queries....
> > imagine: s = "this is 'a' string"
> > then say query = """ SELECT * FROM base WHERE field = "%s";"""% s
> >
> > But what about when s can be 'this is "a" string'
> > or s = """this is a 5", 'b' sized thing""".
>
>
> Don't build your query string that way, *especially* if you are getting
> data from an untrusted source. You are laying yourself open to a SQL
> injection attack. You want to use parameter passing. (for MySQLdb)
>
> cur.execute("SELECT * FROM base WHERE field = %s", s)
I have tried this (once) with MySQLdb, and it doesn't seem to work like
that. (v1.2.1g2) Didn't pursue the issue further.
I am aware of the issues of SQL injection. For that reason I've given
the web script a special user with only very limited capabilities, to at
least make it a little harder for attackers.
Wouter.
>
> The DBI will escape the quote characters for you (as well as the ';'
> character), and stick quotes around the %s in the query string if required.
>
> Jim
>
>
|