Re: protect psycopg script from sql injection?

2014-06-26 Thread Peter Otten 
celati Laurent wrote:

> I coded this following python script via psycopg;
> 
> web_service_test.py
> 
> 
> 1/ When i execute it, the result is 'bad resquest'. Could you tell me why?

No, but you might find out yourself. When you remove the overly broad

try:
... # code that may fail
except:
print "Bad request"

and just keep the code in the try suite


... # code that may fail

Python will produce an informative traceback. In the (unlikely) case that 
with that extra information you still cannot find the problem in your code 
come back here and post the complete traceback.



-- 
https://mail.python.org/mailman/listinfo/python-list

Re: protect psycopg script from sql injection?

2014-06-25 Thread MRAB 

On 2014-06-25 22:58, celati Laurent wrote:

Hello,

I coded this following python script via psycopg;

web_service_test.py


1/ When i execute it, the result is 'bad resquest'. Could you tell me why?

2/ Could you tell me how to protect this script from SQL injections please?


In answer to question 2, don't insert the values into the query string
as you're doing here:

selectString = "SELECT ST_AsText(geom), cult_lib FROM rpg WHERE 
ST_Intersects(SELECT ST_GeomFromText('POINT(%s %s)',2154), rpg)" % (x, y)


Instead, use the placeholder %s in the query string to indicate where a
values should go and then pass that query string and a tuple of the
values to the .execute method:

selectString = "SELECT ST_AsText(geom), cult_lib FROM rpg WHERE 
ST_Intersects(SELECT ST_GeomFromText('POINT(%s %s)',2154), rpg)"


cur.execute(selectString, (x, y))

The database engine will insert the values itself, safely.
--
https://mail.python.org/mailman/listinfo/python-list