openstack
/
ossa
Code Issues Proposed changes

Merge "Fix for incorrect MySQLdb escaping example"

This commit is contained in:
Zuul 2018-09-08 17:28:40 +00:00 committed by Gerrit Code Review
parent 51e04ea771 5d7466981b
commit 2bda61eb99
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
doc/source/guidelines/dg_parameterize-database-queries.rst
View File

@ -95,25 +95,28 @@ be created.
cur = con.cursor() cur = con.cursor()
cur.execute(query) cur.execute(query)
Correct Better
^^^^^^^ ^^^^^^
In this example the query is created using pythons standard, unsafe In this example the query is created using pythons standard, unsafe
'%' operator. MySQL's 'escape\_string' method is used to perform escaping '%' operator. MySQL's 'escape\_string' method is used to perform escaping
on the query string immediately before executing it. on the user input string prior to inclusion in the string.
.. code:: python .. code:: python
import MySQLdb import MySQLdb
query = "select username from users where username = '%s'" % name query = "select username from users where username = '%s'" % MySQLdb.escape_string(name)
con = MySQLdb.connect('localhost', 'testuser', 'test623', 'testdb'); con = MySQLdb.connect('localhost', 'testuser', 'test623', 'testdb');
with con: with con:
cur = con.cursor() cur = con.cursor()
cur.execute(MySQLdb.escape_string(query)) cur.execute(query)
An alternative, but also correct, way to do this using a parameterized Correct
^^^^^^^
The correct way to do this using a parameterized
query might look like the following: query might look like the following:
.. code:: python .. code:: python