Alberto Ruiz
al at ruiz.ws
Fri Mar 31 08:24:05 EST 2006
I really appreciate all of your feedback and help a lot on resolving my issues. I agree with the coding problems, but did I miss it somewhere? Nobody addressed the issue why the meta tag is not being processed. The code was working fine on a Debian system as I mentioned in an earlier thread. I appreciate your patience, eventhough I'm a Python programmer, I didn't write the code or had any previous experience on writing web applications in Python. I'm just helping a frustrated friend who insists that the code was working before on a Debian system and now it is not on a Freebsd one. On Fri, 2006-03-31 at 07:44 -0500, Jim Gallacher wrote: > (Oops, let me try that again). > > Not directly related to your 500 error, but hopefully you'll find my > suggestions useful in improving your code. > > >> import time,random,string > >> global DATEBOX > >> from mod_python import Cookie > >> > >> def index (req,LLRuser='',LLRpw=''): > >> debugfile = open("/home/john/www/mydomain.com/debug.txt", "a") > >> debugfile.write("Begining of index function\n") > >> global R; R=req; R.content_type="text/html" > > Avoid putting multiple statements on one line, as it's not considered > good python style. Personally I think it's bad C style as well. In my > experience it makes it harder to track down bugs. > > > > > You should not store the request object in a global variable. If you > > ever move > > to mod_python 3.X and use a multithreaded MPM it will break as multiple > > threads may execute within the same module as the same time. > > > >> cur=DBconnectpropman.DB.cursor() > >> sidrefreshing=0 > >> ZWF.R=R > >> global SID;SID='' > >> global UID;UID='' > >> cookies = Cookie.get_cookies(R, Cookie.MarshalCookie, > >> secret='LLR14222222') > >> if LLRuser!='' and LLRpw!='': # login attempt > >> if string.find(LLRuser,"@")!=-1: #client login attempt > >> cur.execute("select clientid,name,password from client where > >> email='"+LLRuser+"'") > > WARING! Potential sql injection attack. > > You are leaving yourself open to a sql injection attack. Never trust > user provided data. You can avoid this problem by letting the python DBI > do the work for you. This will properly escape the content of LLRuser: > > cur.execute("select clientid,name,password from client where email=%s" > ,LLRuser) > > Note that you don't need to enclose the %s in single quotes here. The > DBI takes care of it for you. > > >> x=random.randint(48,108) > >> if x>57:x+=8 > >> if x>90:x+=6 > >> SID+=chr(x) > >> cookie = Cookie.Cookie('sid', SID); cookie.expires = > >> time.time() + > >> 36000; Cookie.add_cookie(R, cookie) > >> q="update "+usertable+" set SID='"+SID+"' where > >> name='"+LLRuser+"' > >> and password='"+LLRpw+"'" > > This gets hard to read (and debug) with all the single and double quotes > mixed together. At a quick glance it's hard to differentiate the strings > from the variables. Try something like this: > > q = "update %s set SID = '%s' where name = '%s' and password = '%s'" % > (usertable, SID, LLRuser, LLRpw) > > Using "+" to concatenate strings is inefficient in python and generally > avoid. For short strings it's not likely an issue, but I just want to > make sure you are aware. > > Of course *using* q in a sql query still leaves you open to a sql > injection attack ;). > > Jim > > >
|