Fix sql injection
0
I try to rebuild this function
def getStackArea(screen_area):
db = postgresql.open(db_conf.connectionString())
data = db.query("select stack_area from screen_coordinates where screen_area = " + screen_area + " and active = 1")
return data[0]['stack_area']
To
def getStackArea(screen_area):
db = postgresql.open(db_conf.connectionString())
sql = "select stack_area from screen_coordinates where screen_area = ? and active = ?"
row = db.query.first(sql, (screen_area,1))
return data[0]['stack_area']
But there is syntax error at or near "and". What I do wrong? First function works good but not safety. I use py-postgresql
python postgresql
asked Nov 19 '18 at 19:15
danydany
62
add a comment |
0
I try to rebuild this function
def getStackArea(screen_area):
db = postgresql.open(db_conf.connectionString())
data = db.query("select stack_area from screen_coordinates where screen_area = " + screen_area + " and active = 1")
return data[0]['stack_area']
To
def getStackArea(screen_area):
db = postgresql.open(db_conf.connectionString())
sql = "select stack_area from screen_coordinates where screen_area = ? and active = ?"
row = db.query.first(sql, (screen_area,1))
return data[0]['stack_area']
But there is syntax error at or near "and". What I do wrong? First function works good but not safety. I use py-postgresql
python postgresql
asked Nov 19 '18 at 19:15
danydany
62
What library are you using? That will affect what characters will be treated as placeholders. The error message you give implies the `? as being passed literally to the SQL engine, rather than be replaced first by the given arguments.
– chepner
Nov 19 '18 at 19:19
@chepner I use py-postgresql
– dany
Nov 19 '18 at 19:22
1
The example on pypi.org/project/py-postgresql suggestssql = "select ... where screen_area = $1 and active = $2"instead.
– chepner
Nov 19 '18 at 19:25
@chepner Thanks. It works. If post the answer I vote for it
– dany
Nov 19 '18 at 19:34
add a comment |
0
0
0
I try to rebuild this function
def getStackArea(screen_area):
db = postgresql.open(db_conf.connectionString())
data = db.query("select stack_area from screen_coordinates where screen_area = " + screen_area + " and active = 1")
return data[0]['stack_area']
To
def getStackArea(screen_area):
db = postgresql.open(db_conf.connectionString())
sql = "select stack_area from screen_coordinates where screen_area = ? and active = ?"
row = db.query.first(sql, (screen_area,1))
return data[0]['stack_area']
But there is syntax error at or near "and". What I do wrong? First function works good but not safety. I use py-postgresql
python postgresql
asked Nov 19 '18 at 19:15
danydany
62
I try to rebuild this function
def getStackArea(screen_area):
db = postgresql.open(db_conf.connectionString())
data = db.query("select stack_area from screen_coordinates where screen_area = " + screen_area + " and active = 1")
return data[0]['stack_area']
To
def getStackArea(screen_area):
db = postgresql.open(db_conf.connectionString())
sql = "select stack_area from screen_coordinates where screen_area = ? and active = ?"
row = db.query.first(sql, (screen_area,1))
return data[0]['stack_area']
But there is syntax error at or near "and". What I do wrong? First function works good but not safety. I use py-postgresql
python postgresql
python postgresql
asked Nov 19 '18 at 19:15
danydany
62
asked Nov 19 '18 at 19:15
danydany
62
edited Nov 19 '18 at 19:23
dany
asked Nov 19 '18 at 19:15
danydany
62
asked Nov 19 '18 at 19:15
danydany
62
asked Nov 19 '18 at 19:15
danydany
62
62
What library are you using? That will affect what characters will be treated as placeholders. The error message you give implies the `? as being passed literally to the SQL engine, rather than be replaced first by the given arguments.
– chepner
Nov 19 '18 at 19:19
@chepner I use py-postgresql
– dany
Nov 19 '18 at 19:22
1
The example on pypi.org/project/py-postgresql suggestssql = "select ... where screen_area = $1 and active = $2"instead.
– chepner
Nov 19 '18 at 19:25
@chepner Thanks. It works. If post the answer I vote for it
– dany
Nov 19 '18 at 19:34
add a comment |
What library are you using? That will affect what characters will be treated as placeholders. The error message you give implies the `? as being passed literally to the SQL engine, rather than be replaced first by the given arguments.
– chepner
Nov 19 '18 at 19:19
@chepner I use py-postgresql
– dany
Nov 19 '18 at 19:22
1
The example on pypi.org/project/py-postgresql suggestssql = "select ... where screen_area = $1 and active = $2"instead.
– chepner
Nov 19 '18 at 19:25
@chepner Thanks. It works. If post the answer I vote for it
– dany
Nov 19 '18 at 19:34
What library are you using? That will affect what characters will be treated as placeholders. The error message you give implies the `? as being passed literally to the SQL engine, rather than be replaced first by the given arguments.
– chepner
Nov 19 '18 at 19:19
What library are you using? That will affect what characters will be treated as placeholders. The error message you give implies the `? as being passed literally to the SQL engine, rather than be replaced first by the given arguments.
– chepner
Nov 19 '18 at 19:19
@chepner I use py-postgresql
– dany
Nov 19 '18 at 19:22
@chepner I use py-postgresql
– dany
Nov 19 '18 at 19:22
1
1
The example on pypi.org/project/py-postgresql suggests
sql = "select ... where screen_area = $1 and active = $2" instead.– chepner
Nov 19 '18 at 19:25
The example on pypi.org/project/py-postgresql suggests
sql = "select ... where screen_area = $1 and active = $2" instead.– chepner
Nov 19 '18 at 19:25
@chepner Thanks. It works. If post the answer I vote for it
– dany
Nov 19 '18 at 19:34
@chepner Thanks. It works. If post the answer I vote for it
– dany
Nov 19 '18 at 19:34
add a comment |
1 Answer
1
active
oldest
votes
0
py-postgresql uses numbered parameters $1, $2, etc, rather than ? as placeholders.
sql = "select stack_area from screen_coordinates where screen_area = $1 and active = $2"
answered Nov 19 '18 at 19:56
chepnerchepner
250k33236331
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53381203%2ffix-sql-injection%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
0
py-postgresql uses numbered parameters $1, $2, etc, rather than ? as placeholders.
sql = "select stack_area from screen_coordinates where screen_area = $1 and active = $2"
answered Nov 19 '18 at 19:56
chepnerchepner
250k33236331
add a comment |
0
py-postgresql uses numbered parameters $1, $2, etc, rather than ? as placeholders.
sql = "select stack_area from screen_coordinates where screen_area = $1 and active = $2"
answered Nov 19 '18 at 19:56
chepnerchepner
250k33236331
add a comment |
0
0
0
py-postgresql uses numbered parameters $1, $2, etc, rather than ? as placeholders.
sql = "select stack_area from screen_coordinates where screen_area = $1 and active = $2"
answered Nov 19 '18 at 19:56
chepnerchepner
250k33236331
py-postgresql uses numbered parameters $1, $2, etc, rather than ? as placeholders.
sql = "select stack_area from screen_coordinates where screen_area = $1 and active = $2"
answered Nov 19 '18 at 19:56
chepnerchepner
250k33236331
answered Nov 19 '18 at 19:56
chepnerchepner
250k33236331
answered Nov 19 '18 at 19:56
chepnerchepner
250k33236331
answered Nov 19 '18 at 19:56
chepnerchepner
250k33236331
250k33236331
add a comment |
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53381203%2ffix-sql-injection%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What library are you using? That will affect what characters will be treated as placeholders. The error message you give implies the `? as being passed literally to the SQL engine, rather than be replaced first by the given arguments.
– chepner
Nov 19 '18 at 19:19
@chepner I use py-postgresql
– dany
Nov 19 '18 at 19:22
1
The example on pypi.org/project/py-postgresql suggests
sql = "select ... where screen_area = $1 and active = $2"instead.– chepner
Nov 19 '18 at 19:25
@chepner Thanks. It works. If post the answer I vote for it
– dany
Nov 19 '18 at 19:34