Prev: Does pickled objects work fine between different OS?
Next: <python setup.py install_data> question
From: Alister on 27 May 2010 00:10
On Wed, 26 May 2010 15:30:16 -0700, John Nagle wrote:

> Alister wrote:
>> I think you should probably also write your execute differently:
>>
>>>>> clientCursor.execute('select ID from %s' , (personalDataTable,))
>>
>> this ensures the parameters are correctly escaped to prevent mysql
>> injection attacks,the "," after personalDataTable is necessary to
>> ensure the parameter is passed as a tuple
>
> Actually, no. The names of tables are not quoted in SQL.
> One writes
>
> SELECT ID FROM mytable;
>
> not
>
> SELECT ID FROM "mytable";
>
> so you don't want to run table names through the quoting and escaping
> function. If the table name is a variable, you need to be very careful
> about where it comes from.
>
> On the other hand, if you're specifying a data value, a field that's
> normally quoted, as in
>
> SELECT ID from mytable WHERE mykey="foo";
>
> you write
>
> cursor.execute("SELECT ID FROM mytable WHERE mykey=%s",
(mykeyval,))
>
> to get proper escaping. Don't put quote marks around the %s; MySQLdb
> does that.
>
> Also, if you're selecting every entry in a database, without a
> WHERE or ORDER BY clause, you will get the entries in more or less
> random order.
>
> John Nagle

Thanks i hadn't read the search string fully.
in this case if personalDataTable is generated by user input it should be
carefully checked as it will still be a possible source of attack.

The golden rule with user input is trust nothing.




--
QOTD:
"I won't say he's untruthful, but his wife has to call the
dog for dinner."
From: Tim Golden on 27 May 2010 03:39
On 26/05/2010 23:24, Christian Heimes wrote:
>> Actually, no. The names of tables are not quoted in SQL.
>> One writes
>>
>> SELECT ID FROM mytable;
>>
>> not
>>
>> SELECT ID FROM "mytable";
>
> nit picking mode:
>
> Some RDBMS support case sensitive table names. You have to quote the
> table name if you using the feature. Yeah I know, it's pretty bad idea
> but it's possible.

Also -- at least in MSSQL -- if the table name contains spaces
(and probably certain other characters which I can't be bothered to
research at this moment).

TJG
First  |  Prev  | 
Pages: 1 2
Prev: Does pickled objects work fine between different OS?
Next: <python setup.py install_data> question