On 2014-06-25 22:58, celati Laurent wrote:
Hello,
I coded this following python script via psycopg;
web_service_test.py
<http://python.6.x6.nabble.com/file/n5062113/web_service_test.py>
1/ When i execute it, the result is 'bad resquest'. Could you tell me why?
2/ Could you tell me how to protect this script from SQL injections please?
In answer to question 2, don't insert the values into the query string
as you're doing here:
selectString = "SELECT ST_AsText(geom), cult_lib FROM rpg WHERE
ST_Intersects(SELECT ST_GeomFromText('POINT(%s %s)',2154), rpg)" % (x, y)
Instead, use the placeholder %s in the query string to indicate where a
values should go and then pass that query string and a tuple of the
values to the .execute method:
selectString = "SELECT ST_AsText(geom), cult_lib FROM rpg WHERE
ST_Intersects(SELECT ST_GeomFromText('POINT(%s %s)',2154), rpg)"
cur.execute(selectString, (x, y))
The database engine will insert the values itself, safely.
--
https://mail.python.org/mailman/listinfo/python-list