[Twisted-Python] multiple mysql results in function
Maarten ter Huurne
maarten at treewalker.org
Wed Dec 12 21:35:34 EST 2007
On Wednesday 12 December 2007, Ryan McGuire wrote:
> def xmlrpc_thought(self, uname, pwrd, arg, msg):
> """Return the most recent thought"""
> if arg == "get":
>
> db=adbapi.ConnectionPool("MySQLdb",host='192.168.0.220',user='redbeardmcg
>',passwd='xxxxx',db='itr') db.start()
> return db.runQuery("""
> SELECT * FROM thoughts
> WHERE tid > (SELECT curtid FROM users
> WHERE uid = (SELECT uid FROM users
> WHERE username='%s' AND password='%s'))
> """ % (uname, pwrd)).addCallback(lambda results:
> results[0][2])
Unrelated to your problem, but are you aware that this code is vulnerable to
SQL injection? The values of "uname" and "pwrd" are set by the XMLRPC
client and are not escaped when they are inserted into the query. This
might not be a problem if you trust everyone on your network, but if you
expose this to the internet or mischievous local users, you're asking for
trouble.
Bye,
Maarten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://twistedmatrix.com/pipermail/twisted-python/attachments/20071213/ca5b3b54/attachment.pgp
More information about the Twisted-Python
mailing list