By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
445,645 Members | 1,048 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 445,645 IT Pros & Developers. It's quick & easy.

Converting Perl Web Report to Python

P: n/a
I enjoyed Paul Barry's September article in Linux Journal entitled,
"Web Reporting with MySQL, CSS and Perl". It provides a simple,
elegant way to use HTML to display database content without any sql
markup in the cgi script. The cgi script simply calls the Mysql
command line with the HTML option (-H) and the SQL script file directed
to that command. This provides complete separation of the markup from
the sql code. The plain vanila HTML output can be spruced up with CSS
to provide more color and size control of the HTML.

Could this script be easily converted to Python? How would you execute
the Msql command line and direct the output to a variable for display
in the cgi script? Would it be possible to easily enhance this script
by allowing the user to pass in an SQL query parameter to the sql
script? I attempted this in Perl by substituting the string "p_1" in
the where clause of the sql code but I could not substitute this string
with the value in the cgi code (ie. $query =~ s/p_1/value_variable/;).
Perhaps it would be easier in Python?

Also, would the user supplied parameter be a security issue?
Thanks!

Below is a link to the article:
http://delivery.acm.org/10.1145/1160...FTOKEN=6184618

Sep 23 '06 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Dennis,
Wow! Talk about RAD development... Nice job... Errr, real nice job. I
will test your concepts and see how it works.
Thanks a ton. You far exceeded my expectations!
Pat

Dennis Lee Bieber wrote:
On 23 Sep 2006 06:04:16 -0700, "pm******@gmail.com" <pm******@gmail.com>
declaimed the following in comp.lang.python:

Answering bottom up...

Could this script be easily converted to Python? How would you execute
the Msql command line and direct the output to a variable for display
in the cgi script? Would it be possible to easily enhance this script
by allowing the user to pass in an SQL query parameter to the sql
script? I attempted this in Perl by substituting the string "p_1" in
the where clause of the sql code but I could not substitute this string
with the value in the cgi code (ie. $query =~ s/p_1/value_variable/;).
Perhaps it would be easier in Python?

Also, would the user supplied parameter be a security issue?

Unless you duplicate the type of checking a db-api module does for
parameterized queries -- indubitably...

I don't do PERL, but from what I see, they are essentially doing the
equivalent of a popen() call.

-=-=-=-=-=-=-=-=- script1.py
import os

USERID = "BestiariaCP" #this account is a read-only, no password
DBNAME = "bestiaria" #used for CherryTemplate page generation

# lacking a CGI interface, I'm just going to put in a few assignments
query = "script1.sql"
title = "This is demonstrably nonsense"

cmdline = "mysql -H -u %s %s < %s" % (USERID, DBNAME, query)

# I don't know what header and start_html() do, so just a dummy here
print """
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>%s</title>
</head>

<body>
""" % title

rpipe = os.popen(cmdline, "r")
results = rpipe.readlines()
rpipe.close()

print '<h3 align="center">%s</h3>' % title
print "".join(results)
print '<br><h4 align="center">This was a sample</h4>'
print "</body>\n</html>"
-=-=-=-=-=-=-=-=-=- script1.sql
select name, URL, description, occurs
from comics
order by name;
-=-=-=-=-=-=-=-=-=- script1.html (excluded middle)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>This is demonstrably nonsense</title>
</head>

<body>

<h3 align="center">This is demonstrably nonsense</h3>
<TABLE
BORDER=1><TR><TH>name</TH><TH>URL</TH><TH>description</TH><TH>occurs</TH></TR><TR><TD>A
Doemain of Our Own</TD><TD>http://www.doemain.com/</TD><TD>The new
family on the block.</TD><TD>Typically Friday, though some Monday and
Wednesday
updates</TD></TR><TR><TD>Aford</TD><TD>http://www.afordturtle.com/</TD><TD>A
turtle, a snake, and a robin; and their life in the
forest.</TD><TD>Daily</TD></TR>

<TR><TD>Virtual Comix</TD><TD>http://comix.keenspace.com/</TD><TD>He's
the insane rabbit next door.</TD><TD>No updates since March of
2003</TD></TR><TR><TD>West Corner of the
Park</TD><TD>http://www.graphxpress.com/</TD><TD>Inspired by FurryMUCK,
and done by Jim Groat, the creator of <i>Red
Shetland</i>.</TD><TD>Usually late Sunday, unless a Furry Convention
happens</TD></TR><TR><TD>Whatever
USA</TD><TD>http://whateverusa.keenspace.com/</TD><TD>A precocious
porcupine pup and his pals.</TD><TD>Sporadic</TD></TR><TR><TD>Wild
Angels</TD><TD>http://www.ottercomics.com/angels/</TD><TD>It'll put the
fur of God in you.</TD><TD>Irregular (between two and seven times each
month)</TD></TR><TR><TD>Wyldfire</TD><TD>http://www.morgankeithstudios.com/projects_wyldfire.html</TD><TD>What
if the cat stuck up a tree <i>is</ithe fireman?</TD><TD>Archives
available</TD></TR></TABLE>
<br><h4 align="center">This was a sample</h4>
</body>
</html>

Seems like a lot of hassle to go through when a Python function can
generate similar results without losing the safety of parameterized
queries (I do hope the SQL files the CGI is specifying were pre-defined,
and not something the user uploads <G>)
-=-=-=-=-=-=-=- script2.py
import MySQLdb

USERID = "BestiariaCP" #this account is a read-only, no password
DBNAME = "bestiaria" #used for CherryTemplate page generation

# lacking a CGI interface, I'm just going to put in a few assignments
queryfile = "script1.sql"
title = "This is demonstrably nonsense"

cn = MySQLdb.connect(host="localhost", user=USERID, db=DBNAME)
cr = cn.cursor()

# I don't know what header and start_html() do, so just a dummy here
print """
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>%s</title>
</head>

<body>
""" % title

qin = open(queryfile, "r")
query = " ".join(qin.readlines())
qin.close()

cr.execute(query) #no parameters assumed

# THE FOLLOWING BLOCK OF CODE COULD EASILY BE MADE A
# FUNCTION IN SOME HTML REPORTING MODULE AS IT IS NOT
# DEPENDENT UPON THE ACTUAL QUERY TO KNOW WHAT TO PRODUCE

print '<h3 align="center">%s</h3>' % title
print '<table border="1">\n<tr>',
for fld in cr.description:
print "<th>%s</th>" % fld[0],
print "</tr>"

for rec in cr:
print "<tr>",
for fld in rec:
print "<td>%s</td>" % fld,
print "</tr>"
print "</table>"

# BACK TO ORIGINAL CONTENT

print '<br><h4 align="center">This was a sample</h4>'
print "</body>\n</html>"

cr.close()
cn.close()
-=-=-=-=-=- USES SAME SQL FILE
-=-=-=-=-=-=- script2.html (excluded middle)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>This is demonstrably nonsense</title>
</head>

<body>

<h3 align="center">This is demonstrably nonsense</h3>
<table border="1">
<tr<th>name</th<th>URL</th<th>description</th<th>occurs</th>
</tr>
<tr<td>A Doemain of Our Own</td<td>http://www.doemain.com/</td>
<td>The new family on the block.</td<td>Typically Friday, though some
Monday and Wednesday updates</td</tr>
<tr<td>Aford</td<td>http://www.afordturtle.com/</td<td>A turtle, a
snake, and a robin; and their life in the forest.</td<td>Daily</td>
</tr>

<tr<td>Virtual Comix</td<td>http://comix.keenspace.com/</td>
<td>He's the insane rabbit next door.</td<td>No updates since March of
2003</td</tr>
<tr<td>West Corner of the Park</td>
<td>http://www.graphxpress.com/</td<td>Inspired by FurryMUCK, and done
by Jim Groat, the creator of <i>Red Shetland</i>.</td<td>Usually late
Sunday, unless a Furry Convention happens</td</tr>
<tr<td>Whatever USA</td<td>http://whateverusa.keenspace.com/</td>
<td>A precocious porcupine pup and his pals.</td<td>Sporadic</td>
</tr>
<tr<td>Wild Angels</td<td>http://www.ottercomics.com/angels/</td>
<td>It'll put the fur of God in you.</td<td>Irregular (between two and
seven times each month)</td</tr>
<tr<td>Wyldfire</td>
<td>http://www.morgankeithstudios.com/projects_wyldfire.html</td>
<td>What if the cat stuck up a tree <i>is</ithe fireman?</td>
<td>Archives available</td</tr>
</table>
<br><h4 align="center">This was a sample</h4>
</body>
</html>
--
Wulfraed Dennis Lee Bieber KD6MOG
wl*****@ix.netcom.com wu******@bestiaria.com
HTTP://wlfraed.home.netcom.com/
(Bestiaria Support Staff: we******@bestiaria.com)
HTTP://www.bestiaria.com/
Sep 23 '06 #2

P: n/a
Dennis,
I was able to execute the Mysql command line code you created in
"script1.py". I was not able to test the "preferred" method used in
script2.py. I will do this later this week when I have more time to
download and install the required MySQLdb module. In any event, I
would like to know how to search and replace a given string in the sql
to a user supplied value before execution.

For example, lets say that your sql script looks like this:
-=-=-=-=-=-=-=-=-=- script1.sql
select name, URL, description, occurs
from comics
where URL like '%MyParam_1%' # Note that "MyParam_1" represents
a "catch" string.
order by name;
-=-=-=-=-=-=-=-=-=-
Using the script2.py process, how could I safely convert the above
string, "MyParam_1" to a user supplied argument (ie. "comix") before
the SQL is executed?

This capability would allow each sql script to be extendable. It would
allow me to embed a URL with specific parameters in report OR in Wiki
pages, emails when I need to.
Thanks!
Pat

Dennis Lee Bieber wrote:
On 23 Sep 2006 06:04:16 -0700, "pm******@gmail.com" <pm******@gmail.com>
declaimed the following in comp.lang.python:

Answering bottom up...

Could this script be easily converted to Python? How would you execute
the Msql command line and direct the output to a variable for display
in the cgi script? Would it be possible to easily enhance this script
by allowing the user to pass in an SQL query parameter to the sql
script? I attempted this in Perl by substituting the string "p_1" in
the where clause of the sql code but I could not substitute this string
with the value in the cgi code (ie. $query =~ s/p_1/value_variable/;).
Perhaps it would be easier in Python?

Also, would the user supplied parameter be a security issue?

Unless you duplicate the type of checking a db-api module does for
parameterized queries -- indubitably...

I don't do PERL, but from what I see, they are essentially doing the
equivalent of a popen() call.

-=-=-=-=-=-=-=-=- script1.py
import os

USERID = "BestiariaCP" #this account is a read-only, no password
DBNAME = "bestiaria" #used for CherryTemplate page generation

# lacking a CGI interface, I'm just going to put in a few assignments
query = "script1.sql"
title = "This is demonstrably nonsense"

cmdline = "mysql -H -u %s %s < %s" % (USERID, DBNAME, query)

# I don't know what header and start_html() do, so just a dummy here
print """
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>%s</title>
</head>

<body>
""" % title

rpipe = os.popen(cmdline, "r")
results = rpipe.readlines()
rpipe.close()

print '<h3 align="center">%s</h3>' % title
print "".join(results)
print '<br><h4 align="center">This was a sample</h4>'
print "</body>\n</html>"
-=-=-=-=-=-=-=-=-=- script1.sql
select name, URL, description, occurs
from comics
order by name;
-=-=-=-=-=-=-=-=-=- script1.html (excluded middle)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>This is demonstrably nonsense</title>
</head>

<body>

<h3 align="center">This is demonstrably nonsense</h3>
<TABLE
BORDER=1><TR><TH>name</TH><TH>URL</TH><TH>description</TH><TH>occurs</TH></TR><TR><TD>A
Doemain of Our Own</TD><TD>http://www.doemain.com/</TD><TD>The new
family on the block.</TD><TD>Typically Friday, though some Monday and
Wednesday
updates</TD></TR><TR><TD>Aford</TD><TD>http://www.afordturtle.com/</TD><TD>A
turtle, a snake, and a robin; and their life in the
forest.</TD><TD>Daily</TD></TR>

<TR><TD>Virtual Comix</TD><TD>http://comix.keenspace.com/</TD><TD>He's
the insane rabbit next door.</TD><TD>No updates since March of
2003</TD></TR><TR><TD>West Corner of the
Park</TD><TD>http://www.graphxpress.com/</TD><TD>Inspired by FurryMUCK,
and done by Jim Groat, the creator of <i>Red
Shetland</i>.</TD><TD>Usually late Sunday, unless a Furry Convention
happens</TD></TR><TR><TD>Whatever
USA</TD><TD>http://whateverusa.keenspace.com/</TD><TD>A precocious
porcupine pup and his pals.</TD><TD>Sporadic</TD></TR><TR><TD>Wild
Angels</TD><TD>http://www.ottercomics.com/angels/</TD><TD>It'll put the
fur of God in you.</TD><TD>Irregular (between two and seven times each
month)</TD></TR><TR><TD>Wyldfire</TD><TD>http://www.morgankeithstudios.com/projects_wyldfire.html</TD><TD>What
if the cat stuck up a tree <i>is</ithe fireman?</TD><TD>Archives
available</TD></TR></TABLE>
<br><h4 align="center">This was a sample</h4>
</body>
</html>

Seems like a lot of hassle to go through when a Python function can
generate similar results without losing the safety of parameterized
queries (I do hope the SQL files the CGI is specifying were pre-defined,
and not something the user uploads <G>)
-=-=-=-=-=-=-=- script2.py
import MySQLdb

USERID = "BestiariaCP" #this account is a read-only, no password
DBNAME = "bestiaria" #used for CherryTemplate page generation

# lacking a CGI interface, I'm just going to put in a few assignments
queryfile = "script1.sql"
title = "This is demonstrably nonsense"

cn = MySQLdb.connect(host="localhost", user=USERID, db=DBNAME)
cr = cn.cursor()

# I don't know what header and start_html() do, so just a dummy here
print """
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>%s</title>
</head>

<body>
""" % title

qin = open(queryfile, "r")
query = " ".join(qin.readlines())
qin.close()

cr.execute(query) #no parameters assumed

# THE FOLLOWING BLOCK OF CODE COULD EASILY BE MADE A
# FUNCTION IN SOME HTML REPORTING MODULE AS IT IS NOT
# DEPENDENT UPON THE ACTUAL QUERY TO KNOW WHAT TO PRODUCE

print '<h3 align="center">%s</h3>' % title
print '<table border="1">\n<tr>',
for fld in cr.description:
print "<th>%s</th>" % fld[0],
print "</tr>"

for rec in cr:
print "<tr>",
for fld in rec:
print "<td>%s</td>" % fld,
print "</tr>"
print "</table>"

# BACK TO ORIGINAL CONTENT

print '<br><h4 align="center">This was a sample</h4>'
print "</body>\n</html>"

cr.close()
cn.close()
-=-=-=-=-=- USES SAME SQL FILE
-=-=-=-=-=-=- script2.html (excluded middle)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>This is demonstrably nonsense</title>
</head>

<body>

<h3 align="center">This is demonstrably nonsense</h3>
<table border="1">
<tr<th>name</th<th>URL</th<th>description</th<th>occurs</th>
</tr>
<tr<td>A Doemain of Our Own</td<td>http://www.doemain.com/</td>
<td>The new family on the block.</td<td>Typically Friday, though some
Monday and Wednesday updates</td</tr>
<tr<td>Aford</td<td>http://www.afordturtle.com/</td<td>A turtle, a
snake, and a robin; and their life in the forest.</td<td>Daily</td>
</tr>

<tr<td>Virtual Comix</td<td>http://comix.keenspace.com/</td>
<td>He's the insane rabbit next door.</td<td>No updates since March of
2003</td</tr>
<tr<td>West Corner of the Park</td>
<td>http://www.graphxpress.com/</td<td>Inspired by FurryMUCK, and done
by Jim Groat, the creator of <i>Red Shetland</i>.</td<td>Usually late
Sunday, unless a Furry Convention happens</td</tr>
<tr<td>Whatever USA</td<td>http://whateverusa.keenspace.com/</td>
<td>A precocious porcupine pup and his pals.</td<td>Sporadic</td>
</tr>
<tr<td>Wild Angels</td<td>http://www.ottercomics.com/angels/</td>
<td>It'll put the fur of God in you.</td<td>Irregular (between two and
seven times each month)</td</tr>
<tr<td>Wyldfire</td>
<td>http://www.morgankeithstudios.com/projects_wyldfire.html</td>
<td>What if the cat stuck up a tree <i>is</ithe fireman?</td>
<td>Archives available</td</tr>
</table>
<br><h4 align="center">This was a sample</h4>
</body>
</html>
--
Wulfraed Dennis Lee Bieber KD6MOG
wl*****@ix.netcom.com wu******@bestiaria.com
HTTP://wlfraed.home.netcom.com/
(Bestiaria Support Staff: we******@bestiaria.com)
HTTP://www.bestiaria.com/
Sep 24 '06 #3

P: n/a
Thanks again Dennis,
This should do what I want with additional flexibility... I will
develop the code later this week. During this excersize, I have come
to really appreciate Python over Perl. I love the Python command line
interpreter that allowed me to pretest any code very quickly. What
Python learning resource (book web link or both) do you recommend?
Pat

Dennis Lee Bieber wrote:
On 24 Sep 2006 14:05:29 -0700, "pm******@gmail.com" <pm******@gmail.com>
declaimed the following in comp.lang.python:

download and install the required MySQLdb module. In any event, I
would like to know how to search and replace a given string in the sql
to a user supplied value before execution.
I would not even want to try to code that. I will mention that the
default mode for MySQLdb is to use %s as the substitution field, and
since both scripts used the same SQL file...
For example, lets say that your sql script looks like this:
-=-=-=-=-=-=-=-=-=- script1.sql
select name, URL, description, occurs
from comics
where URL like '%MyParam_1%' # Note that "MyParam_1" represents
a "catch" string.
order by name;
-=-=-=-=-=-=-=-=-=-
select name, URL, description, occurs
from comics
where URL like %s
order by name;

Then, on the cursor.execute() call:
cr.execute(query) #no parameters assumed

cr.execute(query, ("%" + MyParam_1 + "%",))

{MySQLdb /can/ work with a singleton for convenience, but the DB-API
emphasizes a tuple be passed, hence the (... ,) to create a tuple}

I'm presuming you do not require the "user" to enter the % wildcards
on search terms.

MySQLdb can also be fed with a dictionary (last time I looked, at
least) so something like:

select name, URL, description, occurs
from comics
where URL like %(MyParam_1)s or URL like %(MyParam_2)s
order by name;

and

params = {}
params["MyParam_1"] = "%" + somevariable + "%"
params["MyParam_2"] = "%" + anotherstring + "%"
cr.execute(query, params)

may be possible (I've never used this mode, so no confirmation).
--
Wulfraed Dennis Lee Bieber KD6MOG
wl*****@ix.netcom.com wu******@bestiaria.com
HTTP://wlfraed.home.netcom.com/
(Bestiaria Support Staff: we******@bestiaria.com)
HTTP://www.bestiaria.com/
Sep 25 '06 #4

P: n/a

pm******@gmail.com wrote:
Thanks again Dennis,
This should do what I want with additional flexibility... I will
develop the code later this week. During this excersize, I have come
to really appreciate Python over Perl. I love the Python command line
interpreter that allowed me to pretest any code very quickly. What
Python learning resource (book web link or both) do you recommend?
I have 3 O'Reilly books that are indispensable: "Python Pocket
Reference", "Python Cookbook", and "Learning Python"

Sep 25 '06 #5

This discussion thread is closed

Replies have been disabled for this discussion.