#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2005
    Location
    Latvia
    Posts
    5
    Rep Power
    0

    Question Python, web programming


    When I programming in PHP I use stripslshes, addslashes, but I can't find anything similar in python. Is there any alternative to those functions?

    Maybe someone can give some tips in web develop, or some usefull functions.

    Also when I used MYSQLDB to store POST data, it prints me an error about "\r\n" in sql query.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2004
    Location
    Atlantic City, NJ
    Posts
    327
    Rep Power
    13
    Maybe you could post some of your code?
    I'll learn this stuff someday.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2005
    Location
    Latvia
    Posts
    5
    Rep Power
    0
    Originally Posted by Shiner_Man
    Maybe you could post some of your code?
    That's the code:
    Code:
    cur.execute("INSERT INTO mod_raw_text SET sid=%s,type='textile',text='%s'" % (cur.insert_id(),self.req.form['text']))
    There is the MYSQL error:
    Code:
    ProgrammingError: (1064, "You have an error in your SQL syntax.  Check the manual that corresponds to your MySQL server version for the right syntax to use near 'textilable.cgi')\r\nhdlr      = logging.FileHandler('textilable.l")
    What functions do you use to handle input or output data for DB?
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2005
    Location
    Latvia
    Posts
    5
    Rep Power
    0
    I solved this problem:
    Code:
    MySQLdb.escape_string(string)
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Location
    Norway
    Posts
    41
    Rep Power
    11
    Originally Posted by Gacha
    Code:
    cur.execute("INSERT INTO mod_raw_text SET sid=%s,type='textile',text='%s'" % (cur.insert_id(),self.req.form['text']))
    No, no..

    Code:
    cur.execute("INSERT INTO mod_raw_text SET sid=%s,type='textile',text='%s'",  (cur.insert_id(),self.req.form['text']))
    Yes

    By supplying the parameters via the second parameter to execute() the database module will take care of escaping ', " etc.
    Good web hosting info - articles about web hosting
    hb's web dev blog
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2005
    Location
    Latvia
    Posts
    5
    Rep Power
    0
    Why there is no % operator between SQL and variables? Can I tell mysqldb to use escaping in every query?

    In PHP I used ADODB, but I tryed it with Python and I had problems to close connection. On every request I had a new process in "ps aux" until mod_python hangs, but with mysqldb everything works great.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Location
    Norway
    Posts
    41
    Rep Power
    11
    Originally Posted by Gacha
    Why there is no % operator between SQL and variables? Can I tell mysqldb to use escaping in every query?
    Mysqldb (and other Python database modules) uses escaping by default if you use the execute function correctly.
    The execute function has an optional second parameter. The first (required) is the sql, the second is for a value or a tuple of values to be inserted into the sql query.
    When you do
    Code:
    cur.execute(query%params)
    it is the same as
    Code:
    sqlquery = query%params
    cur.execute(sqlquery)
    and you are just supplying a readymade sql query generated with normal string interpolation which might lead to syntax errors and possibly security problems.

    If you do
    Code:
    cur.execute(query, params)
    the execute function will take care of the string interpolation and make sure that dangerous characters are properly escaped.
    So
    Code:
    cur.execute("SELECT * FROM mod_raw_text WHERE type='%s' ", "tex'tile")
    will generate
    Code:
    SELECT * FROM mod_raw_text WHERE type= 'tex\'tile'
    which is a valid query, while
    Code:
    cur.execute("SELECT * FROM mod_raw_text WHERE type='%s' "%"tex'tile")
    will generate
    Code:
    SELECT * FROM mod_raw_text WHERE type= 'tex'tile'
    which will lead to an SQL syntax error
    Good web hosting info - articles about web hosting
    hb's web dev blog
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2005
    Location
    Latvia
    Posts
    5
    Rep Power
    0
    Thanks for help

    edit:

    I searched 100 times google at least I found:
    Code:
    No quotes should be placed around the %s markers; MySQLdb supplies quotes for you as necessary.

IMN logo majestic logo threadwatch logo seochat tools logo