[Twisted-Python] multiple mysql results in function

Maarten ter Huurne maarten at treewalker.org
Wed Dec 12 21:35:34 EST 2007


On Wednesday 12 December 2007, Ryan McGuire wrote:

>     def xmlrpc_thought(self, uname, pwrd, arg, msg):
>         """Return the most recent thought"""
>         if arg == "get":
>                
> db=adbapi.ConnectionPool("MySQLdb",host='192.168.0.220',user='redbeardmcg
>',passwd='xxxxx',db='itr') db.start()
>                 return db.runQuery("""
>                         SELECT * FROM thoughts
>                         WHERE tid > (SELECT curtid FROM users
>                         WHERE uid = (SELECT uid FROM users
>                         WHERE username='%s' AND password='%s'))
>                 """ % (uname, pwrd)).addCallback(lambda results:
> results[0][2])

Unrelated to your problem, but are you aware that this code is vulnerable to 
SQL injection? The values of "uname" and "pwrd" are set by the XMLRPC 
client and are not escaped when they are inserted into the query. This 
might not be a problem if you trust everyone on your network, but if you 
expose this to the internet or mischievous local users, you're asking for 
trouble.

Bye,
		Maarten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://twistedmatrix.com/pipermail/twisted-python/attachments/20071213/ca5b3b54/attachment.pgp 


More information about the Twisted-Python mailing list