Bruno Desthuilliers wrote:
> Fuzzydave wrote:
>
> (snip)
> """
> pubID=cgiForm.getvalue('pubID')
> pubName=cgiForm.getvalue('pubName','Unknown Publication')
>
> sqlcheck1 = "SELECT pub_type FROM medusa.cmi_publication WHERE pub_id =
> '"+pubID+"'"
> overseas1 = conn.query(sqlcheck1)
> pubType = cmi.fetch_rows(overseas1)
> """
>
> May we have the url where we can see this application in action ? I know
> some crackers that would be really pleased to mess with your production
> database...
>
>
In case Bruno's posting didn't make it obvious, your code is wide open
to SQL injection exploits. Google is your friend.
The correct way to remove such vulnerabilities is to use parameterized
queries, giving the parameters as a tuple second argument to
cursor.execute().
regards
Steve
--
Steve Holden +44 150 684 7255 +1 800 494 3119
Holden Web LLC/Ltd http://www.holdenweb.com
Skype: holdenweb http://holdenweb.blogspot.com
Recent Ramblings http://del.icio.us/steve.holden
--
http://mail.python.org/mailman/listinfo/python-list
