Jim Gallacher
jpg at jgassociates.ca
Fri Mar 31 07:44:31 EST 2006
(Oops, let me try that again). Not directly related to your 500 error, but hopefully you'll find my suggestions useful in improving your code. >> import time,random,string >> global DATEBOX >> from mod_python import Cookie >> >> def index (req,LLRuser='',LLRpw=''): >> debugfile = open("/home/john/www/mydomain.com/debug.txt", "a") >> debugfile.write("Begining of index function\n") >> global R; R=req; R.content_type="text/html" Avoid putting multiple statements on one line, as it's not considered good python style. Personally I think it's bad C style as well. In my experience it makes it harder to track down bugs. > > You should not store the request object in a global variable. If you > ever move > to mod_python 3.X and use a multithreaded MPM it will break as multiple > threads may execute within the same module as the same time. > >> cur=DBconnectpropman.DB.cursor() >> sidrefreshing=0 >> ZWF.R=R >> global SID;SID='' >> global UID;UID='' >> cookies = Cookie.get_cookies(R, Cookie.MarshalCookie, >> secret='LLR14222222') >> if LLRuser!='' and LLRpw!='': # login attempt >> if string.find(LLRuser,"@")!=-1: #client login attempt >> cur.execute("select clientid,name,password from client where >> email='"+LLRuser+"'") WARING! Potential sql injection attack. You are leaving yourself open to a sql injection attack. Never trust user provided data. You can avoid this problem by letting the python DBI do the work for you. This will properly escape the content of LLRuser: cur.execute("select clientid,name,password from client where email=%s" ,LLRuser) Note that you don't need to enclose the %s in single quotes here. The DBI takes care of it for you. >> x=random.randint(48,108) >> if x>57:x+=8 >> if x>90:x+=6 >> SID+=chr(x) >> cookie = Cookie.Cookie('sid', SID); cookie.expires = >> time.time() + >> 36000; Cookie.add_cookie(R, cookie) >> q="update "+usertable+" set SID='"+SID+"' where >> name='"+LLRuser+"' >> and password='"+LLRpw+"'" This gets hard to read (and debug) with all the single and double quotes mixed together. At a quick glance it's hard to differentiate the strings from the variables. Try something like this: q = "update %s set SID = '%s' where name = '%s' and password = '%s'" % (usertable, SID, LLRuser, LLRpw) Using "+" to concatenate strings is inefficient in python and generally avoid. For short strings it's not likely an issue, but I just want to make sure you are aware. Of course *using* q in a sql query still leaves you open to a sql injection attack ;). Jim
|