|
Alberto Ruiz
al at ruiz.ws
Fri Mar 31 08:24:05 EST 2006
I really appreciate all of your feedback and help a lot on resolving my
issues. I agree with the coding problems, but did I miss it somewhere?
Nobody addressed the issue why the meta tag is not being processed. The
code was working fine on a Debian system as I mentioned in an earlier
thread. I appreciate your patience, eventhough I'm a Python
programmer, I didn't write the code or had any previous experience on
writing web applications in Python. I'm just helping a frustrated
friend who insists that the code was working before on a Debian system
and now it is not on a Freebsd one.
On Fri, 2006-03-31 at 07:44 -0500, Jim Gallacher wrote:
> (Oops, let me try that again).
>
> Not directly related to your 500 error, but hopefully you'll find my
> suggestions useful in improving your code.
>
> >> import time,random,string
> >> global DATEBOX
> >> from mod_python import Cookie
> >>
> >> def index (req,LLRuser='',LLRpw=''):
> >> debugfile = open("/home/john/www/mydomain.com/debug.txt", "a")
> >> debugfile.write("Begining of index function\n")
> >> global R; R=req; R.content_type="text/html"
>
> Avoid putting multiple statements on one line, as it's not considered
> good python style. Personally I think it's bad C style as well. In my
> experience it makes it harder to track down bugs.
>
> >
> > You should not store the request object in a global variable. If you
> > ever move
> > to mod_python 3.X and use a multithreaded MPM it will break as multiple
> > threads may execute within the same module as the same time.
> >
> >> cur=DBconnectpropman.DB.cursor()
> >> sidrefreshing=0
> >> ZWF.R=R
> >> global SID;SID=''
> >> global UID;UID=''
> >> cookies = Cookie.get_cookies(R, Cookie.MarshalCookie,
> >> secret='LLR14222222')
> >> if LLRuser!='' and LLRpw!='': # login attempt
> >> if string.find(LLRuser,"@")!=-1: #client login attempt
> >> cur.execute("select clientid,name,password from client where
> >> email='"+LLRuser+"'")
>
> WARING! Potential sql injection attack.
>
> You are leaving yourself open to a sql injection attack. Never trust
> user provided data. You can avoid this problem by letting the python DBI
> do the work for you. This will properly escape the content of LLRuser:
>
> cur.execute("select clientid,name,password from client where email=%s"
> ,LLRuser)
>
> Note that you don't need to enclose the %s in single quotes here. The
> DBI takes care of it for you.
>
> >> x=random.randint(48,108)
> >> if x>57:x+=8
> >> if x>90:x+=6
> >> SID+=chr(x)
> >> cookie = Cookie.Cookie('sid', SID); cookie.expires =
> >> time.time() +
> >> 36000; Cookie.add_cookie(R, cookie)
> >> q="update "+usertable+" set SID='"+SID+"' where
> >> name='"+LLRuser+"'
> >> and password='"+LLRpw+"'"
>
> This gets hard to read (and debug) with all the single and double quotes
> mixed together. At a quick glance it's hard to differentiate the strings
> from the variables. Try something like this:
>
> q = "update %s set SID = '%s' where name = '%s' and password = '%s'" %
> (usertable, SID, LLRuser, LLRpw)
>
> Using "+" to concatenate strings is inefficient in python and generally
> avoid. For short strings it's not likely an issue, but I just want to
> make sure you are aware.
>
> Of course *using* q in a sql query still leaves you open to a sql
> injection attack ;).
>
> Jim
>
>
>
|