openstack
/
ossa
Code Issues Proposed changes

Fix for incorrect MySQLdb escaping example 

My suggestion for improving the parameterized query documentation.
Closes-Bug: #1745555

Change-Id: I55d3d660436bbead403e53d1ed42b285b47326de
This commit is contained in:
Joshua Padman 2018-01-31 21:17:03 +11:00
parent 369ec51299
commit 5d7466981b
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
doc/source/guidelines/dg_parameterize-database-queries.rst
View File

@ -95,25 +95,28 @@ be created.
cur = con.cursor() cur = con.cursor()
cur.execute(query) cur.execute(query)
Correct Better
^^^^^^^ ^^^^^^
In this example the query is created using pythons standard, unsafe In this example the query is created using pythons standard, unsafe
'%' operator. MySQL's 'escape\_string' method is used to perform escaping '%' operator. MySQL's 'escape\_string' method is used to perform escaping
on the query string immediately before executing it. on the user input string prior to inclusion in the string.
.. code:: python .. code:: python
import MySQLdb import MySQLdb
query = "select username from users where username = '%s'" % name query = "select username from users where username = '%s'" % MySQLdb.escape_string(name)
con = MySQLdb.connect('localhost', 'testuser', 'test623', 'testdb'); con = MySQLdb.connect('localhost', 'testuser', 'test623', 'testdb');
with con: with con:
cur = con.cursor() cur = con.cursor()
cur.execute(MySQLdb.escape_string(query)) cur.execute(query)
An alternative, but also correct, way to do this using a parameterized Correct
^^^^^^^
The correct way to do this using a parameterized
query might look like the following: query might look like the following:
.. code:: python .. code:: python