Zeitgeist Framework

Merge lp:~seif/zeitgeist/use-new-placeholders into lp:zeitgeist/0.1

  1. use-new-placeholders
  2. Merge into 0.8-python
Proposed by Seif Lotfy
Status: Rejected
Rejected by: Seif Lotfy
Proposed branch: lp:~seif/zeitgeist/use-new-placeholders
Merge into: lp:zeitgeist/0.1
Diff against target: 30 lines (+3/-3)
1 file modified
_zeitgeist/engine/main.py (+3/-3)
To merge this branch: bzr merge lp:~seif/zeitgeist/use-new-placeholders
Reviewer Review Type Date Requested Status
Zeitgeist Framework Team Pending
Review via email: mp+42943@code.launchpad.net

Description of the change

The SQLite docs say:
---
You shouldn’t assemble your query using Python’s string operations because doing so is insecure; it makes your program vulnerable to an SQL injection attack.

Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.
---
This branch fixes it.

To post a comment you must log in.
Revision history for this message
Mikkel Kamstrup Erlandsen (kamstrup) wrote :

I believe we use the current approach because the 'correct' one fails with
thousands of ids in the arguments
On Dec 7, 2010 3:01 PM, "Seif Lotfy" <email address hidden> wrote:
> Seif Lotfy has proposed merging lp:~seif/zeitgeist/use-new-placeholders
 into lp:zeitgeist.
>
> Requested reviews:
> Zeitgeist Framework Team (zeitgeist)
>
>
> The SQLite docs say:
> ---
> You shouldn’t assemble your query using Python’s string operations because
 doing so is insecure; it makes your program vulnerable to an SQL injection
attack.
>
> Instead, use the DB-API’s parameter substitution. Put ? as a placeholder
 wherever you want to use a value, and then provide a tuple of values as the
second argument to the cursor’s execute() method.
> ---
> This branch fixes it.
> --
>
 https://code.launchpad.net/~seif/zeitgeist/use-new-placeholders/+merge/42943
> Your team Zeitgeist Framework Team is requested to review the proposed
 merge of lp:~seif/zeitgeist/use-new-placeholders into lp:zeitgeist.

Revision history for this message
Siegfried Gevatter (rainct) wrote :

2010/12/7 Mikkel Kamstrup Erlandsen <email address hidden>:
> I believe we use the current approach because the 'correct' one fails with
> thousands of ids in the arguments

Right.

Further, this change would give us no real benefit, since we're
already ensuring everything is a number.

Unmerged revisions

1645. By Seif Lotfy

Use ? placeholders instead of using Python's string operations. What we were doing is insecure

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file '_zeitgeist/engine/main.py'
2--- _zeitgeist/engine/main.py 2010-11-29 09:09:13 +0000
3+++ _zeitgeist/engine/main.py 2010-12-07 14:01:20 +0000
4@@ -169,7 +169,7 @@
5 rows = self._cursor.execute("""
6 SELECT * FROM event_view
7 WHERE id IN (%s)
8- """ % ",".join("%d" % id for id in ids)).fetchall()
9+ """ % ",".join('?'*len(ids)), ids).fetchall()
10
11 id_hash = defaultdict(list)
12 for n, id in enumerate(ids):
13@@ -448,7 +448,7 @@
14 rows = self._cursor.execute("""
15 SELECT id, timestamp, subj_uri FROM event_view
16 WHERE id IN (%s)
17- """ % ",".join("%d" % id for id in pot)).fetchall()
18+ """ % ",".join('?'*len(pot)), pot).fetchall()
19
20 subject_uri_counter = defaultdict(int)
21 latest_uris = defaultdict(int)
22@@ -600,7 +600,7 @@
23 SELECT MIN(timestamp), MAX(timestamp)
24 FROM event
25 WHERE id IN (%s)
26- """ % ",".join(str(int(_id)) for _id in ids))
27+ """ % ",".join(["?"] * len(ids)), ids)
28 timestamps = self._cursor.fetchone()
29
30 # Make sure that we actually found some events with these ids...

Subscribers

People subscribed via source and target branches