Re: how to replace and string in a "SELECT ... IN ()"

In message <[EMAIL PROTECTED]>, D'Arcy J.M. Cain wrote: > On Fri, 26 Sep 2008 11:00:59 -0500 > "Michael Mabin" <[EMAIL PROTECTED]> wrote: > >> So we can drop a table in an in clause? How is this a use case. >> Cartoons are funny but actual proof that this example using an in-clause >> provides a

Re: how to replace and string in a "SELECT ... IN ()"

Sadly no. There is no utterance too inconsequential. On Sun, Sep 28, 2008 at 3:10 PM, Steve Holden <[EMAIL PROTECTED]> wrote: > Michael Mabin wrote: > > Tino, dude, I'm afraid I lied about my previous post being the last > > word. There are some things you said here that must be addressed. > >

Re: how to replace and string in a "SELECT ... IN ()"

Michael Mabin wrote: Tino, dude, I'm afraid I lied about my previous post being the last word. There are some things you said here that must be addressed. Well. Its interesting to see thats either my English is so bad you don't understand or you are too tired. All what needs to be said was sai

Re: how to replace and string in a "SELECT ... IN ()"

Michael Mabin wrote: > Tino, dude, I'm afraid I lied about my previous post being the last > word. There are some things you said here that must be addressed. Good grief, is there no utterance so inconsequential that you will walk away from it without yet another round of retaliation? I believe

Re: how to replace and string in a "SELECT ... IN ()"

Tino, dude, I'm afraid I lied about my previous post being the last word. There are some things you said here that must be addressed. On Sun, Sep 28, 2008 at 6:00 AM, Tino Wildenhain <[EMAIL PROTECTED]> wrote: > Michael Mabin wrote: > >> I'm exhausted, so I'll just shut up about this after a few

Re: how to replace and string in a "SELECT ... IN ()"

Michael Mabin wrote: I'm exhausted, so I'll just shut up about this after a few final words. Thank you for your time :-) 1. "edits" is used in data warehousing to describe data scrubbing or filtering of fields in records that are used as input sources for loading into data warehouses. It's a

Re: how to replace and string in a "SELECT ... IN ()"

I'm exhausted, so I'll just shut up about this after a few final words. 1. "edits" is used in data warehousing to describe data scrubbing or filtering of fields in records that are used as input sources for loading into data warehouses. It's a term that goes way back to batch processing on the mai

Re: how to replace and string in a "SELECT ... IN ()"

Hi, Michael Mabin wrote: If the inputs are edited prior to the construction of the string and these fields are used for more than one update then it's not an exploit. It's simply a matter not repeating yourself when coding. In python we do not fear that. In this particular case too, we're t

Re: how to replace and string in a "SELECT ... IN ()"

If the inputs are edited prior to the construction of the string and these fields are used for more than one update then it's not an exploit. It's simply a matter not repeating yourself when coding. In this particular case too, we're talking about a list of integers that gets inserted into a strin

Re: how to replace and string in a "SELECT ... IN ()"

Hi, Michael Mabin wrote: so you wouldn't object then to something like ' in (%)' % ','.join([str_edit_for_exploit(x) for x in aList]) if str_edit_for_exploit applied security edits? Whats an security edit btw? If it is something meant to turn possibly insecure data into 'secur

Re: how to replace and string in a "SELECT ... IN ()"

oops. i meant. ' in (%s)' % ','.join([str_edit_for_exploit(x) for x in aList]) On Fri, Sep 26, 2008 at 5:05 PM, Michael Mabin <[EMAIL PROTECTED]> wrote: > so you wouldn't object then to something like ' in (%)' % > ','.join([str_edit_for_exploit(x) for x in aList]) > > if

Re: how to replace and string in a "SELECT ... IN ()"

so you wouldn't object then to something like ' in (%)' % ','.join([str_edit_for_exploit(x) for x in aList]) if str_edit_for_exploit applied security edits? On Fri, Sep 26, 2008 at 2:28 PM, Benjamin Kaplan <[EMAIL PROTECTED]>wrote: > > > On Fri, Sep 26, 2008 at 3:04 PM, Michael Mabin

Re: how to replace and string in a "SELECT ... IN ()"

On Fri, Sep 26, 2008 at 3:04 PM, Michael Mabin <[EMAIL PROTECTED]> wrote: > Doesn't it depend on where and why you intend to execute the code? > Obviously some SQL is more at risk for exploit when the input is from the > screen on a web page than if you were running parameterized code in a > contr

Re: how to replace and string in a "SELECT ... IN ()"

On Fri, 26 Sep 2008 14:04:35 -0500 "Michael Mabin" <[EMAIL PROTECTED]> wrote: > Doesn't it depend on where and why you intend to execute the code? > Obviously some SQL is more at risk for exploit when the input is from the > screen on a web page than if you were running parameterized code in a > co

Re: how to replace and string in a "SELECT ... IN ()"

On Fri, 26 Sep 2008 14:04:35 -0500, Michael Mabin <[EMAIL PROTECTED]> wrote: Doesn't it depend on where and why you intend to execute the code? Obviously some SQL is more at risk for exploit when the input is from the screen on a web page than if you were running parameterized code in a controlle

Re: how to replace and string in a "SELECT ... IN ()"

On 26 Sep, 12:15, Wojtek Walczak <[EMAIL PROTECTED]> wrote: > On Fri, 26 Sep 2008 02:32:50 -0700 (PDT), bcurtu wrote: > > I have a BIG problem with the next query: > > > cursor.execute(""" > > SELECT titem.object_id, titem.tag_id > > FROM tagging_

Re: how to replace and string in a "SELECT ... IN ()"

Doesn't it depend on where and why you intend to execute the code? Obviously some SQL is more at risk for exploit when the input is from the screen on a web page than if you were running parameterized code in a controlled batch environment. Or if you were writing code generators (which is what I h

Re: how to replace and string in a "SELECT ... IN ()"

On Fri, 26 Sep 2008 11:00:59 -0500 "Michael Mabin" <[EMAIL PROTECTED]> wrote: > So we can drop a table in an in clause? How is this a use case. Cartoons > are funny but actual proof that this example using an in-clause provides an > exploit would be more helpful I think. I'm not sure what proof

Re: how to replace and string in a "SELECT ... IN ()"

So we can drop a table in an in clause? How is this a use case. Cartoons are funny but actual proof that this example using an in-clause provides an exploit would be more helpful I think. On Fri, Sep 26, 2008 at 9:50 AM, Benjamin Kaplan <[EMAIL PROTECTED]>wrote: > > > On Fri, Sep 26, 2008 at 1

Re: how to replace and string in a "SELECT ... IN ()"

On Sep 26, 12:23 pm, Tino Wildenhain <[EMAIL PROTECTED]> wrote: > Hi, > > > > Bruno Desthuilliers wrote: > > bcurtu a écrit : > >> Hi, > > >> I have a BIG problem with the next query: > > >>         cursor.execute(""" > >>                     SELECT titem.object_id, titem.tag_id > >>          

Re: how to replace and string in a "SELECT ... IN ()"

Michael Mabin wrote: I laugh in the face of danger. Give me a use case for an exploit. (see below) On Fri, Sep 26, 2008 at 8:05 AM, Tino Wildenhain <[EMAIL PROTECTED] > wrote: Michael Mabin wrote: cursor.execute("""

Re: how to replace and string in a "SELECT ... IN ()"

On Fri, Sep 26, 2008 at 10:38 AM, Michael Mabin <[EMAIL PROTECTED]> wrote: > I laugh in the face of danger. > > Give me a use case for an exploit. > http://xkcd.com/327/ -- http://mail.python.org/mailman/listinfo/python-list

Re: how to replace and string in a "SELECT ... IN ()"

I laugh in the face of danger. Give me a use case for an exploit. On Fri, Sep 26, 2008 at 8:05 AM, Tino Wildenhain <[EMAIL PROTECTED]> wrote: > Michael Mabin wrote: > >> cursor.execute(""" >> SELECT titem.object_id, titem.tag_id >> FROM tagging_taggedite

Re: how to replace and string in a "SELECT ... IN ()"

Michael Mabin wrote: cursor.execute(""" SELECT titem.object_id, titem.tag_id FROM tagging_taggeditem titem WHERE titem.object_id IN (%s) """ % ','.join([str(x) for x in [1,5,9]]) Nope. That would be dangerous! -> goo

Re: how to replace and string in a "SELECT ... IN ()"

cursor.execute(""" SELECT titem.object_id, titem.tag_id FROM tagging_taggeditem titem WHERE titem.object_id IN (%s) """ % ','.join([str(x) for x in [1,5,9]]) On Fri, Sep 26, 2008 at 6:23 AM, Tino Wildenhain <[EMAIL PROT

Re: how to replace and string in a "SELECT ... IN ()"

Hi, Bruno Desthuilliers wrote: bcurtu a écrit : Hi, I have a BIG problem with the next query: cursor.execute(""" SELECT titem.object_id, titem.tag_id FROM tagging_taggeditem titem WHERE titem.object_id IN (%s)

Re: how to replace and string in a "SELECT ... IN ()"

bcurtu a écrit : Hi, I have a BIG problem with the next query: cursor.execute(""" SELECT titem.object_id, titem.tag_id FROM tagging_taggeditem titem WHERE titem.object_id IN (%s) """,( eid_list)) eid_list i

Re: how to replace and string in a "SELECT ... IN ()"

Wojtek Walczak a écrit : On Fri, 26 Sep 2008 02:32:50 -0700 (PDT), bcurtu wrote: I have a BIG problem with the next query: cursor.execute(""" SELECT titem.object_id, titem.tag_id FROM tagging_taggeditem titem WHERE titem.o

Re: how to replace and string in a "SELECT ... IN ()"

Pardon? % instead of %s? It doesn't work... :( On 26 sep, 12:15, Wojtek Walczak <[EMAIL PROTECTED]> wrote: > On Fri, 26 Sep 2008 02:32:50 -0700 (PDT), bcurtu wrote: > > I have a BIG problem with the next query: > > >         cursor.execute(""" > >                     SELECT titem.object_id,

Re: how to replace and string in a "SELECT ... IN ()"

On Fri, 26 Sep 2008 02:32:50 -0700 (PDT), bcurtu wrote: > I have a BIG problem with the next query: > > cursor.execute(""" > SELECT titem.object_id, titem.tag_id > FROM tagging_taggeditem titem > WHERE titem.object_id IN (%s)

how to replace and string in a "SELECT ... IN ()"

Hi, I have a BIG problem with the next query: cursor.execute(""" SELECT titem.object_id, titem.tag_id FROM tagging_taggeditem titem WHERE titem.object_id IN (%s) """,( eid_list)) eid_list is suppossed to be a