[mod_python] How do I troubleshoot a 500 Internal Server Error?

Jim Gallacher jpg at jgassociates.ca
Fri Mar 31 07:44:31 EST 2006


(Oops, let me try that again).

Not directly related to your 500 error, but hopefully you'll find my 
suggestions useful in improving your code.

>> import time,random,string
>> global DATEBOX
>> from mod_python import Cookie
>>
>> def index (req,LLRuser='',LLRpw=''):
>>     debugfile = open("/home/john/www/mydomain.com/debug.txt", "a")
>>     debugfile.write("Begining of index function\n")
>>     global R; R=req; R.content_type="text/html"

Avoid putting multiple statements on one line, as it's not considered 
good python style. Personally I think it's bad C style as well. In my 
experience it makes it harder to track down bugs.

> 
> You should not store the request object in a global variable. If you  
> ever move
> to mod_python 3.X and use a multithreaded MPM it will break as multiple
> threads may execute within the same module as the same time.
> 
>>     cur=DBconnectpropman.DB.cursor()
>>     sidrefreshing=0
>>     ZWF.R=R
>>     global SID;SID=''
>>     global UID;UID=''
>>     cookies = Cookie.get_cookies(R, Cookie.MarshalCookie,
>> secret='LLR14222222')
>>     if LLRuser!='' and LLRpw!='':  # login attempt
>>         if string.find(LLRuser,"@")!=-1: #client login attempt
>>             cur.execute("select clientid,name,password from client where
>> email='"+LLRuser+"'")

WARING! Potential sql injection attack.

You are leaving yourself open to a sql injection attack. Never trust 
user provided data. You can avoid this problem by letting the python DBI 
do the work for you. This will properly escape the content of LLRuser:

cur.execute("select clientid,name,password from client where email=%s" 
,LLRuser)

Note that you don't need to enclose the %s in single quotes here. The 
DBI takes care of it for you.

>>                 x=random.randint(48,108)
>>                 if x>57:x+=8
>>                 if x>90:x+=6
>>                 SID+=chr(x)
>>             cookie = Cookie.Cookie('sid', SID); cookie.expires = 
>> time.time() +
>> 36000; Cookie.add_cookie(R, cookie)
>>             q="update "+usertable+" set SID='"+SID+"' where 
>> name='"+LLRuser+"'
>> and password='"+LLRpw+"'"

This gets hard to read (and debug) with all the single and double quotes 
mixed together. At a quick glance it's hard to differentiate the strings 
from the variables. Try something like this:

q = "update %s set SID = '%s' where name = '%s' and password = '%s'" % 
(usertable, SID, LLRuser, LLRpw)

Using "+" to concatenate strings is inefficient in python and generally 
avoid. For short strings it's not likely an issue, but I just want to 
make sure you are aware.

Of course *using* q in a sql query still leaves you open to a sql 
injection attack ;).

Jim




More information about the Mod_python mailing list