oracle - Python Parameter pass to prevent sql injection. Why is this giving an error? - 


from django.db import connection, transaction  def pk_dt_catalog(p_cat_id,p_commons_id):      c1 = connection.cursor()     sql = "select commons_id, cat_id, cat_name               dt_catalog"      sql = sql + " cat_id = %s                      , commons_id = %s "      param =(p_cat_id, p_commons_id)     c1.execute(sql, param)     return c1   >>> c = dt_catalog.pk_dt_catalog(513704,401) traceback (most recent call last):   file "<stdin>", line 1, in <module>   file "dt_catalog.py", line 24, in pk_dt_catalog     c1.execute(sql,(p_cat_id, p_commons_id,)) cx_oracle.databaseerror: ora-01036: illegal variable name/number

in code, you're using %s python substition string syntax, expects substitution values on same line, e.g.

sql = sql + " cat_id = %s                 , commons_id = %s " % (p_cat_id, p_commons_id)

however, (as stated already) not best way because (a) can sql injection vulnerability; , (b) cause poor database performance due each call requiring hard parse of new sql statement.

instead, should use oracle bind variable syntax, e.g.:

c1 = connection.cursor() sql = "select commons_id, cat_id, cat_name           dt_catalog"  sql = sql + " cat_id = :foo                  , commons_id = :bar "  param = (p_cat_id, p_commons_id) c1.execute(sql, param) return c1

more info: http://guyharrison.squarespace.com/blog/2010/1/17/best-practices-with-python-and-oracle.html

the above example uses positional binding, i.e. first parameter bound first bind placeholder, , second parameter in list bound second placeholder.

a nicer method using dict assign values specific bind variables name. useful when difficult know order in placeholders have been added query, , makes code easier read , maintain:

c1 = connection.cursor() sql = "select commons_id, cat_id, cat_name           dt_catalog"  sql = sql + " cat_id = :foo                  , commons_id = :bar "  param = {"foo": p_cat_id, "bar": p_commons_id} c1.execute(sql, param) return c1

more examples , tutorials: http://st-curriculum.oracle.com/obe/db/11g/r2/prod/appdev/opensrclang/pythonhol2010_db/python_db.htm


Comments

Post a Comment

Popular posts from this blog

apache - Add omitted ? to URLs -

i working on website cms reads page name of query string, e.g. http://exmaple.com/?pagename . trying create rewrite rule rewrite ? . so, user types in /pagename , taken /?pagename try this: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^/?(.*) index.php?$1 [l]
Read more

redirect - bbPress Forum - rewrite to wwww.mysite prohibits login -

i using bbpress installation without wordpress integration. the redirect of rewriteengine @ forum site works: rewriteengine on rewritecond %{http_host} ^forum.mysite.com$ rewriterule (.*)$ http://www.forum.mysite.com/$1 [r=301,l] the problem login pppress. bbpress login not recognize: http://www.forum.mysite/bb-login.php . it redirects to: http://forum.mysite.com/bb-login.php . i tried permalink settings none , name based, same issue. does uses redirect in bbpress or how can eliminate "double" content , redirect permanently www.? i redirected www.forum.mysite.com forum.mysite.com , achieved eliminate "double" content.
Read more

php - How can I stop spam on my custom forum/blog? -

so have custom built forum & blog system of late has been dealing lot of spam. if wordpress use akismet, if different common platform i'm sure i'd find plugin. there kind of static class can download this? using php. i'd still go akismet, if it. uses outside of wordpress, may have pay fee it, depending on use -- check terms , conditions -- it's option , easy implement in php using api. use api key wordpress. com account access. basically, grab whichever php client library takes fancy -- use alex potsides' php5 library -- plug in key, , it's handful of lines of code. here's bare bones of validation straight 1 of live sites: ... if ($akismet) { $akismet->setcommentauthor($name); $akismet->setcommentauthoremail($session->userinfo["email"]); $akismet->setcommentauthorurl(""); $akismet->setcommentcontent($sentence);...
Read more