[mod_python] Problem with html quoted/unquoted

Jim Gallacher jpg at jgassociates.ca
Wed May 17 11:46:29 EDT 2006 

Wouter van Marle wrote:
> Dear Deron,
> 
> Thank you for the comments. I understand your ideas; unfortunately it
> does not solve my problem.
> 
> The info I get from another website, this origin gives me the info in
> the ampersand form (that third party site is a Netscape server by the
> way! Didn't know they are still in use, very remarkable). And I like
> that.
> The main reason to continue using that format is the " (double-quotes)
> and ' (single quotes). These characters are used in the data that I try
> to store in the mysql base, and that fantastically messes up with the
> queries....
> imagine: s = "this is 'a' string"
> then say query = """ SELECT * FROM base WHERE field = "%s";"""% s
> 
> But what about when s can be 'this is "a" string'
> or s = """this is a 5", 'b' sized thing""".


Don't build your query string that way, *especially* if you are getting 
data from an untrusted source. You are laying yourself open to a SQL 
injection attack. You want to use parameter passing. (for MySQLdb)

cur.execute("SELECT * FROM base WHERE field = %s", s)

The DBI will escape the quote characters for you (as well as the ';' 
character), and stick quotes around the %s in the query string if required.

Jim

More information about the Mod_python mailing list