[mod_python] Problem with html quoted/unquoted

Wouter van Marle wouter at squirrel-systems.com
Wed May 17 11:53:23 EDT 2006

On Wed, 2006-05-17 at 11:46 -0400, Jim Gallacher wrote:
> Wouter van Marle wrote:
> > Dear Deron,
> > 
> > Thank you for the comments. I understand your ideas; unfortunately it
> > does not solve my problem.
> > 
> > The info I get from another website, this origin gives me the info in
> > the ampersand form (that third party site is a Netscape server by the
> > way! Didn't know they are still in use, very remarkable). And I like
> > that.
> > The main reason to continue using that format is the " (double-quotes)
> > and ' (single quotes). These characters are used in the data that I try
> > to store in the mysql base, and that fantastically messes up with the
> > queries....
> > imagine: s = "this is 'a' string"
> > then say query = """ SELECT * FROM base WHERE field = "%s";"""% s
> > 
> > But what about when s can be 'this is "a" string'
> > or s = """this is a 5", 'b' sized thing""".
> Don't build your query string that way, *especially* if you are getting 
> data from an untrusted source. You are laying yourself open to a SQL 
> injection attack. You want to use parameter passing. (for MySQLdb)
> cur.execute("SELECT * FROM base WHERE field = %s", s)

I have tried this (once) with MySQLdb, and it doesn't seem to work like
that. (v1.2.1g2) Didn't pursue the issue further.

I am aware of the issues of SQL injection. For that reason I've given
the web script a special user with only very limited capabilities, to at
least make it a little harder for attackers.


> The DBI will escape the quote characters for you (as well as the ';' 
> character), and stick quotes around the %s in the query string if required.
> Jim

More information about the Mod_python mailing list