[mod_python] How do I troubleshoot a 500 Internal Server Error?

Alberto Ruiz al at ruiz.ws
Fri Mar 31 08:24:05 EST 2006


I really appreciate all of your feedback and help a lot on resolving my
issues.  I agree with the coding problems, but did I miss it somewhere?
Nobody addressed the issue why the meta tag is not being processed.  The
code was working fine on a Debian system as I mentioned in an earlier
thread.   I appreciate your patience, eventhough I'm a Python
programmer, I didn't write the code or had any previous experience on
writing web applications in Python.   I'm just helping a frustrated
friend who insists that the code was working before on a Debian system
and now it is not on a Freebsd one.    

  


On Fri, 2006-03-31 at 07:44 -0500, Jim Gallacher wrote:
> (Oops, let me try that again).
> 
> Not directly related to your 500 error, but hopefully you'll find my 
> suggestions useful in improving your code.
> 
> >> import time,random,string
> >> global DATEBOX
> >> from mod_python import Cookie
> >>
> >> def index (req,LLRuser='',LLRpw=''):
> >>     debugfile = open("/home/john/www/mydomain.com/debug.txt", "a")
> >>     debugfile.write("Begining of index function\n")
> >>     global R; R=req; R.content_type="text/html"
> 
> Avoid putting multiple statements on one line, as it's not considered 
> good python style. Personally I think it's bad C style as well. In my 
> experience it makes it harder to track down bugs.
> 
> > 
> > You should not store the request object in a global variable. If you  
> > ever move
> > to mod_python 3.X and use a multithreaded MPM it will break as multiple
> > threads may execute within the same module as the same time.
> > 
> >>     cur=DBconnectpropman.DB.cursor()
> >>     sidrefreshing=0
> >>     ZWF.R=R
> >>     global SID;SID=''
> >>     global UID;UID=''
> >>     cookies = Cookie.get_cookies(R, Cookie.MarshalCookie,
> >> secret='LLR14222222')
> >>     if LLRuser!='' and LLRpw!='':  # login attempt
> >>         if string.find(LLRuser,"@")!=-1: #client login attempt
> >>             cur.execute("select clientid,name,password from client where
> >> email='"+LLRuser+"'")
> 
> WARING! Potential sql injection attack.
> 
> You are leaving yourself open to a sql injection attack. Never trust 
> user provided data. You can avoid this problem by letting the python DBI 
> do the work for you. This will properly escape the content of LLRuser:
> 
> cur.execute("select clientid,name,password from client where email=%s" 
> ,LLRuser)
> 
> Note that you don't need to enclose the %s in single quotes here. The 
> DBI takes care of it for you.
> 
> >>                 x=random.randint(48,108)
> >>                 if x>57:x+=8
> >>                 if x>90:x+=6
> >>                 SID+=chr(x)
> >>             cookie = Cookie.Cookie('sid', SID); cookie.expires = 
> >> time.time() +
> >> 36000; Cookie.add_cookie(R, cookie)
> >>             q="update "+usertable+" set SID='"+SID+"' where 
> >> name='"+LLRuser+"'
> >> and password='"+LLRpw+"'"
> 
> This gets hard to read (and debug) with all the single and double quotes 
> mixed together. At a quick glance it's hard to differentiate the strings 
> from the variables. Try something like this:
> 
> q = "update %s set SID = '%s' where name = '%s' and password = '%s'" % 
> (usertable, SID, LLRuser, LLRpw)
> 
> Using "+" to concatenate strings is inefficient in python and generally 
> avoid. For short strings it's not likely an issue, but I just want to 
> make sure you are aware.
> 
> Of course *using* q in a sql query still leaves you open to a sql 
> injection attack ;).
> 
> Jim
> 
> 
> 



More information about the Mod_python mailing list