Hi all,
Very simple issue - code in question is:
for data in engine.execute('select style_no from data where style_size_no_in = "' +myVariable[0] + '"'):
print(x) The below error is being flagged:
Error:
sqlalchemy.exc.ProgrammingError: (psycopg2.errors.UndefinedColumn) column "style_no" does not exist
The problem is that this column definitely exists as I've got PGAdmin4 open on another screen. If I change the style_no to * then it says that style_size_no_in doesn't exist either.
Please help.
James
Figured out a fix - if I put the column names in quotes then it works fine.
Thanks,
James
You also shouldn't be concatenating strings to build SQL statements, as that's vulnerable to SQL injection.
Bobby Tables can educate you on this.
(Nov-01-2021, 12:45 PM)ndc85430 Wrote: [ -> ]You also shouldn't be concatenating strings to build SQL statements, as that's vulnerable to SQL injection. Bobby Tables can educate you on this.
Hi there,
I understand. My workaround (on flask) is to pull the data from sql, use that to build an html string, close the connection and then return the html string.
That way nothing on the user's end relates directly to the db.
The vulnerability that @
ndc85430 mentions has nothing to do with closing connection before returning anything to frontend.
Assuming you run query based on some query parameters that you receive from user you are exposed to
SQL injection (also
on Wikipedia)
Also, why do you construct html string at the backend, don't you use templates?
(Nov-01-2021, 02:00 PM)buran Wrote: [ -> ]The vulnerability that @ndc85430 mentions has nothing to do with closing connection before returning anything to frontend.
Assuming you run query based on some query parameters that you receive from user you are exposed to SQL injection (also on Wikipedia)
Also, why do you construct html string at the backend, don't you use templates?
Hi,
No, the website itself doesn't need to look nice, just to display data. There isn't any query being constructed by user input, the page's role is to dynamically display data.
Thanks,
James
Still, there's no downside to constructing queries correctly and it doesn't take much effort.
(Nov-02-2021, 08:43 AM)jamesaarr Wrote: [ -> ]the page's role is to dynamically display data.
I still think you don't understand. How does it display data dynamically, without query parameters? E.g. where
myVariable[0] value comes from?
(Nov-02-2021, 11:20 AM)buran Wrote: [ -> ] (Nov-02-2021, 08:43 AM)jamesaarr Wrote: [ -> ]the page's role is to dynamically display data.
I still think you don't understand. How does it display data dynamically, without query parameters? E.g. where myVariable[0] value comes from?
Hi mate,
The query uses variable parameters from seperate tables. It runs a query for all on one table, then searches the other tables for data using a list. These are fixed, there is no user input on this page, and the connection is closed before the HTML is returned in flask.
Thanks,
James
I don't understand the aversion to doing the correct thing, especially when it isn't complicated.