Good catch! Unless you're doing this for simple local testing, this doesn't look like safe practice...
On Wed, Nov 5, 2008 at 12:16 PM, Stefan Scholl <[EMAIL PROTECTED]>wrote: > > Hi! > > In controller file default.py: > > data = ZipFile(StringIO(urlopen("http://www.maxmind.com/download/ > geoip/database/GeoIPCountryCSV.zip<http://www.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip> > ").read())) > data = StringIO(data.read(data.namelist()[0])) > while True: > chunk = data.readline() > if not chunk: break > cursor.execute("insert into geoip (begin_ip, end_ip, > begin_num, > end_num, code, name) values (" + chunk + ")") > > This doesn't give a good example for other programmers. Some external > data gets injected into an SQL statement. > > > Regards, > Stefan > > PS: And there's not a single comment in this file. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---