Posts: 71
Threads: 16
Joined: Jul 2021
Hi all,
Very simple issue - code in question is:
for data in engine.execute('select style_no from data where style_size_no_in = "' +myVariable[0] + '"'):
print(x) The below error is being flagged:
Error: sqlalchemy.exc.ProgrammingError: (psycopg2.errors.UndefinedColumn) column "style_no" does not exist
The problem is that this column definitely exists as I've got PGAdmin4 open on another screen. If I change the style_no to * then it says that style_size_no_in doesn't exist either.
Please help.
James
while dad_has_cigs == True:
happiness = True
if dad_has_cigs == False:
print("Dad come home!")
happiness = not happiness
break
Posts: 71
Threads: 16
Joined: Jul 2021
Figured out a fix - if I put the column names in quotes then it works fine.
Thanks,
James
while dad_has_cigs == True:
happiness = True
if dad_has_cigs == False:
print("Dad come home!")
happiness = not happiness
break
Posts: 1,838
Threads: 2
Joined: Apr 2017
You also shouldn't be concatenating strings to build SQL statements, as that's vulnerable to SQL injection. Bobby Tables can educate you on this.
Posts: 71
Threads: 16
Joined: Jul 2021
(Nov-01-2021, 12:45 PM)ndc85430 Wrote: You also shouldn't be concatenating strings to build SQL statements, as that's vulnerable to SQL injection. Bobby Tables can educate you on this.
Hi there,
I understand. My workaround (on flask) is to pull the data from sql, use that to build an html string, close the connection and then return the html string.
That way nothing on the user's end relates directly to the db.
while dad_has_cigs == True:
happiness = True
if dad_has_cigs == False:
print("Dad come home!")
happiness = not happiness
break
Posts: 8,159
Threads: 160
Joined: Sep 2016
Nov-01-2021, 02:00 PM
(This post was last modified: Nov-01-2021, 02:00 PM by buran.)
The vulnerability that @ ndc85430 mentions has nothing to do with closing connection before returning anything to frontend.
Assuming you run query based on some query parameters that you receive from user you are exposed to SQL injection (also on Wikipedia)
Also, why do you construct html string at the backend, don't you use templates?
Posts: 71
Threads: 16
Joined: Jul 2021
(Nov-01-2021, 02:00 PM)buran Wrote: The vulnerability that @ndc85430 mentions has nothing to do with closing connection before returning anything to frontend.
Assuming you run query based on some query parameters that you receive from user you are exposed to SQL injection (also on Wikipedia)
Also, why do you construct html string at the backend, don't you use templates?
Hi,
No, the website itself doesn't need to look nice, just to display data. There isn't any query being constructed by user input, the page's role is to dynamically display data.
Thanks,
James
while dad_has_cigs == True:
happiness = True
if dad_has_cigs == False:
print("Dad come home!")
happiness = not happiness
break
Posts: 1,838
Threads: 2
Joined: Apr 2017
Still, there's no downside to constructing queries correctly and it doesn't take much effort.
Posts: 8,159
Threads: 160
Joined: Sep 2016
(Nov-02-2021, 08:43 AM)jamesaarr Wrote: the page's role is to dynamically display data. I still think you don't understand. How does it display data dynamically, without query parameters? E.g. where myVariable[0] value comes from?
Posts: 71
Threads: 16
Joined: Jul 2021
(Nov-02-2021, 11:20 AM)buran Wrote: (Nov-02-2021, 08:43 AM)jamesaarr Wrote: the page's role is to dynamically display data. I still think you don't understand. How does it display data dynamically, without query parameters? E.g. where myVariable[0] value comes from?
Hi mate,
The query uses variable parameters from seperate tables. It runs a query for all on one table, then searches the other tables for data using a list. These are fixed, there is no user input on this page, and the connection is closed before the HTML is returned in flask.
Thanks,
James
while dad_has_cigs == True:
happiness = True
if dad_has_cigs == False:
print("Dad come home!")
happiness = not happiness
break
Posts: 1,838
Threads: 2
Joined: Apr 2017
I don't understand the aversion to doing the correct thing, especially when it isn't complicated.
|
