Being new to pgdb, I'm finding there are lot of things I don't understand
when I read the PEP and the sparse documentation on pgdb.
I was hoping there would be a module that would properly escape longer text
strings to prevent sql injection -- and other things just make sure the
python string object ends up being a properly type for postgresql. I've
bought 3 books on postgresql and none of th code samples demonstrate this.
web searchs for 'python sql escape string' yeild way too many results.
Any pointers would be greatly appreciated.
--
David Bear
-- let me buy your intellectual property, I want to own your thoughts --
10  6584 
David Bear wrote: Being new to pgdb, I'm finding there are lot of things I don't understand
when I read the PEP and the sparse documentation on pgdb.
I was hoping there would be a module that would properly escape longer text
strings to prevent sql injection -- and other things just make sure the
python string object ends up being a properly type for postgresql. I've
bought 3 books on postgresql and none of th code samples demonstrate this.
web searchs for 'python sql escape string' yeild way too many results.
Any pointers would be greatly appreciated.
for x in range(1000000):
print "USE PARAMETERS TO PASS VALUES TO THE DATABASE"
</F>
Fredrik Lundh wrote: web searchs for 'python sql escape string' yeild way too many results.
Any pointers would be greatly appreciated.
for x in range(1000000):
print "USE PARAMETERS TO PASS VALUES TO THE DATABASE"
for an example, see "listing 2" in the following article: http://www.amk.ca/python/writing/DB-API.html
(the database used in that example uses the "?" parameter style. your database
may prefer another style; check the paramstyle variable. see the DB API spec
for a descriptoin)
(a linuxjournal version of that article is linked from the pygresql site)
</F>
David Bear <da********@asu .edu> wrote: Being new to pgdb, I'm finding there are lot of things I don't understand
when I read the PEP and the sparse documentation on pgdb.
I was hoping there would be a module that would properly escape longer text
strings to prevent sql injection -- and other things just make sure the
python string object ends up being a properly type for postgresql. I've
bought 3 books on postgresql and none of th code samples demonstrate this.
All of the Python database modules will do this protection for you.
Example:
db = psycopg2.connec t(database='dbn ame')
c = db.cursor()
c.execute( "INSERT INTO table1 VALUES (%s,%s,%s);", (var1, var2, var3) )
Note that I have used a "comma", not the Python % operator, and I have not
done any quoting in the query. By doing that, I am instructing the
database module to do whatever protective quoting may be required for the
values I have passed, and substitute the quoted values into the string.
As long as you use that scheme, you should be safe from injection. It's
only when people try to do it themselves that they get in trouble, as in:
c.execute( "INSERT INTO table1 VALUES ('%s','%s','%s' );" % (var1, var2,
var3) ) # THIS IS WRONG
--
- Tim Roberts, ti**@probo.com
Providenza & Boekelheide, Inc.
David Bear wrote: Being new to pgdb, I'm finding there are lot of things I don't understand
when I read the PEP and the sparse documentation on pgdb.
I was hoping there would be a module that would properly escape longer text
strings to prevent sql injection -- and other things just make sure the
python string object ends up being a properly type for postgresql. I've
bought 3 books on postgresql and none of th code samples demonstrate this.
web searchs for 'python sql escape string' yeild way too many results.
Any pointers would be greatly appreciated.
I think I know where David is coming from, as I also battled to
understand this. I think that I have now 'got it', so I would like to
offer my explanation.
I used to think that each DB-API module transformed the 'string +
parameters' into a valid SQL command before passing it to the db.
However, this is not what is happening.
Every modern database provides an API to allow applications to interact
with the database programmaticall y. Typically these are intended for C
programs, but other languages may be supported. The authors of the
various DB-API modules provide a python wrapper around this to allow
use from a python program.
Each of the API's includes the capability of passing commands in the
form of 'string + parameters' directly into the database. This means
that the data values are never embedded into the SQL command at all,
and therefore there is no possibility of injection attacks.
The various API's use different syntaxes for passing the parameters. It
would have been nice if the DB-API had specified one method, and left
it to the author of each module to transform this into the form
required by the underlying API. Unfortunately the DB-API allows a
choice of 'paramstyles'. There may be technical reasons for this, but
it does make supporting multiple databases awkward.
Frank Millman
Frank Millman wrote: Each of the API's includes the capability of passing commands in the
form of 'string + parameters' directly into the database. This means
that the data values are never embedded into the SQL command at all,
and therefore there is no possibility of injection attacks.
another advantage with parameters is that if you do multiple operations which
differ only in parameters, the database may skip the SQL compilation and query
optimization passes.
The various API's use different syntaxes for passing the parameters. It
would have been nice if the DB-API had specified one method, and left
it to the author of each module to transform this into the form
required by the underlying API. Unfortunately the DB-API allows a
choice of 'paramstyles'. There may be technical reasons for this, but
it does make supporting multiple databases awkward.
agreed.
on the other hand, it shouldn't be that hard to create a function does this mapping
on the fly, so that drivers can be updated support any paramstyle... time for a DB
API 3.0 specification, perhaps ?
(I'd also like to see a better granularity; the current connection/cursor model is a
bit limited; a connection/cursor/query/result set model would be nicer, but I guess
ODBC gets in the way here...)
</F>
Fredrik Lundh wrote: Frank Millman wrote:
Each of the API's includes the capability of passing commands in the
form of 'string + parameters' directly into the database. This means
that the data values are never embedded into the SQL command at all,
and therefore there is no possibility of injection attacks.
another advantage with parameters is that if you do multiple operations which
differ only in parameters, the database may skip the SQL compilation and query
optimization passes.
The various API's use different syntaxes for passing the parameters. It
would have been nice if the DB-API had specified one method, and left
it to the author of each module to transform this into the form
required by the underlying API. Unfortunately the DB-API allows a
choice of 'paramstyles'. There may be technical reasons for this, but
it does make supporting multiple databases awkward.
agreed.
indeed. I suspect (not having been involved in the decisions) that the
variations were to minimise the work module implementers had to do to
get their modules working.
on the other hand, it shouldn't be that hard to create a function does this mapping
on the fly, so that drivers can be updated support any paramstyle... time for a DB
API 3.0 specification, perhaps ?
It would be a little tricky to convert name-based ("named" and
"pyformat", requiring a data mapping) parameterizatio ns to positional
ones ("qmark", "numeric" and "format", requiring a data sequence) and
vice versa. It's probably a worthwhile effort, though.
(I'd also like to see a better granularity; the current connection/cursor model is a
bit limited; a connection/cursor/query/result set model would be nicer, but I guess
ODBC gets in the way here...)
Yes, it would at least be nice to include some of the more advanced ways
of presenting query results.
regards
Steve
--
Steve Holden +44 150 684 7255 +1 800 494 3119
Holden Web LLC www.holdenweb.com
PyCon TX 2006 www.python.org/pycon/
Fredrik Lundh wrote: David Bear wrote:
Being new to pgdb, I'm finding there are lot of things I don't understand
when I read the PEP and the sparse documentation on pgdb.
I was hoping there would be a module that would properly escape longer
text strings to prevent sql injection -- and other things just make sure
the python string object ends up being a properly type for postgresql.
I've bought 3 books on postgresql and none of th code samples demonstrate
this.
web searchs for 'python sql escape string' yeild way too many results.
Any pointers would be greatly appreciated.
for x in range(1000000):
print "USE PARAMETERS TO PASS VALUES TO THE DATABASE"
</F>
Yes. Fredrik and others. Thank you for the advice.
I know have the following code:
...
parmChar = '%s'
sqlInsert = """INSERT INTO %s (%s) VALUES (%s); """ % (tn, ",
".join(fieldnam es), ", ".join([parmChar] * len(fieldnames) ))
try:
cursor.execute( sqlInsert, datum)
except pgdb.DatabaseEr ror:
logerror("Error on record insert \n %s \n %s" % (sqlInsert,
traceback.print _exc()))
I was not aware that the python db interface would just handle proper
escaping of python data types to proper postgresql data types.
Any other hints on database programming much appreciated.
--
David Bear
-- let me buy your intellectual property, I want to own your thoughts -- Steve Holden wrote:
Fredrik Lundh wrote: Frank Millman wrote:
Each of the API's includes the capability of passing commands in the
form of 'string + parameters' directly into the database. This means
that the data values are never embedded into the SQL command at all,
and therefore there is no possibility of injection attacks.
My news server didn't get Franks initial post to the group, so I'm glad that
Steve included it in his followup.
The statement above can cause relief or pain. Letting the DBAPI handle
proper string escapes, formating, etc., is a big relief. However, I am
still wondering what happens under the covers. If I have a string '1\n'
that I've read from some source and I really intend on inserting it into
the data base as a number 1, if the tape column it goes into is of type int
or num or float, will the DBAPI really know what to do with the newline?
--
David Bear
-- let me buy your intellectual property, I want to own your thoughts --
David Bear wrote:
The statement above can cause relief or pain. Letting the DBAPI handle
proper string escapes, formating, etc., is a big relief. However, I am
still wondering what happens under the covers. If I have a string '1\n'
that I've read from some source and I really intend on inserting it into
the data base as a number 1, if the tape column it goes into is of type int
or num or float, will the DBAPI really know what to do with the newline?
Try it and see. This is what I get - import psycopg2
db = psycopg2.connec t(database='myd b')
c = db.cursor()
c.execute('crea te table xxx (col1 int)')
c.execute('inse rt into xxx values (%s)', '1')
c.execute('inse rt into xxx values (%s)', 'a')
psycopg.Program mingError: invalid input syntax for integer: "a" c.execute('inse rt into xxx values (%s)', '1\n')
TypeError: not all arguments converted during string formatting
Different DBAPI modules may handle it differently.
Frank This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Dave Moore |
last post by:
Hi All,
Can anybody point me to a FAQ or similar that describes what all this
stuff is about please?. I'm interfacing with a MySQL database if that's
relavent. I've read a couple of books which refer to stripslahes and
'escaping' but nothing really explains what these terms are and why these
are used. Why is 'escaping' (whatever that is) used?. What the hell is a
magic quote?. How is it different from a non-magic one?.
Regards,
Dave
|
by: Aloysio Figueiredo |
last post by:
I need to replace every ocurrence of '/' in s by '\/'
in order to create a file named s. My first attempt
was:
s = '\/'.join(s.split('/'))
but it doesn't work:
>>> s = 'a/b'
>>> s = '\/'.join(s.split('/'))
|
by: felciano |
last post by:
Hi --
I am trying to use the csv module to parse a column of values
containing comma-delimited values with unusual escaping:
AAA, BBB, CCC (some text, right here), DDD
I want this to come back as:
|
by: bobbyballgame |
last post by:
I am having a problem calling Stored Procedures:
....
dim MyValue, MyOtherValue
MyValue = "Bobby's value"
MyOtherValue = Bobby's other value"
rs.Open "exec MyStoredProc """ & MyValue & """, """ & MyOtherValue & """",
Conn
|
by: Geoff Caplan |
last post by:
Hi folks,
The thread on injection attacks was very instructive, but seemed to
run out of steam at an interesting point. Now you guys have kindly
educated me about the real nature of the issues, can I ask again
what effective escaping really means?
Are the standard escaping functions found in the PHP, Tcl etc APIs to
Postgres bombproof? Are there any encodings that might slip through
and be cast to malicious strings inside Postgres?...
| | |
by: Jon |
last post by:
Hi,
I used XslCompiledTransform with the following Xsl file. The <xsl:text
disable-output-escaping="yes"does not work when using XslCompiledTransform
to do the trnasform (namely the output contain < not <), while it works when
using MSXML2 to do the transform. Does anyone have the same problem and how
to make the escape work? Thanks.
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
by: Taras_96 |
last post by:
Hi everyone,
I'm having a bit of trouble understanding the purpose of escaping
nulls, and the use of addcslashes.
Firstly, the manual states that:
"Strictly speaking, MySQL requires only that backslash and the quote
character used to quote the string in the query be escaped. This
function quotes the other characters to make them easier to read in
|
by: David Henderson |
last post by:
I know 'disable-output-escaping' has been discussed in the past, but I can't
put my finger on any of the threads to see if my current problem is
addressed. Sorry for re-asking the question if it has already been
answered...
I have an XML doc that I am transforming via XSLT and JavaScript in the
browser. This allows me to return unsorted data to the browser and allow
the user to sort it with a mouseclick and not hit the server just...
|
by: C C++ C++ |
last post by:
what is an escaping variable?
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
