Why Is Escaping Data Considered So Magical?
in [Python]
|
Prev: GDAL-1.7.1 : vcvarsall.bat missing
Next: improving python performance by extension module (64bit)
From: Ian Kelly on 27 Jun 2010 03:31 On Sat, Jun 26, 2010 at 8:31 PM, Lawrence D'Oliveiro <ldo(a)geek-central.gen.new_zealand> wrote: > Except I only needed two calls to SQLString, while you need two dozen > instances of that repetitive items.c boilerplate. > > As a human, being repetitive is not my job. Thats what the computer is for. Then why do you have every parameter prefixed with "modify_"? 8-) But seriously, if that bothers you, then fold the "items.c." portion into the generator expression with a getattr call. Or just change them back to the same strings you had originally, and sqlalchemy will be just as happy to accept them as-is. Cheers, Ian
From: Kushal Kumaran on 27 Jun 2010 04:15 On Sun, Jun 27, 2010 at 9:47 AM, Lawrence D'Oliveiro <ldo(a)geek-central.gen.new_zealand> wrote: > In message <roy-854954.20435125062010(a)news.panix.com>, Roy Smith wrote: > >> I recently fixed a bug in some production code. Â The programmer was >> careful to use snprintf() to avoid buffer overflows. Â The only problem >> is, he wrote something along the lines of: >> >> snprintf(buf, strlen(foo), foo); > > A long while ago I came up with this macro: > > Â Â #define Descr(v) &v, sizeof v > > making the correct version of the above become > > Â Â snprintf(Descr(buf), foo); > Not quite right. If buf is a char array, as suggested by the use of sizeof, then you're not passing a char* to snprintf. You need to lose the & in your macro. -- regards, kushal
From: Lawrence D'Oliveiro on 27 Jun 2010 07:46 In message <mailman.2184.1277626565.32709.python-list(a)python.org>, Kushal Kumaran wrote: > On Sun, Jun 27, 2010 at 9:47 AM, Lawrence D'Oliveiro > <ldo(a)geek-central.gen.new_zealand> wrote: > >> In message <roy-854954.20435125062010(a)news.panix.com>, Roy Smith wrote: >> >>> I recently fixed a bug in some production code. The programmer was >>> careful to use snprintf() to avoid buffer overflows. The only problem >>> is, he wrote something along the lines of: >>> >>> snprintf(buf, strlen(foo), foo); >> >> A long while ago I came up with this macro: >> >> #define Descr(v) &v, sizeof v >> >> making the correct version of the above become >> >> snprintf(Descr(buf), foo); > > Not quite right. If buf is a char array, as suggested by the use of > sizeof, then you're not passing a char* to snprintf. What am I passing, then?
From: Lawrence D'Oliveiro on 27 Jun 2010 07:51 In message <mailman.2183.1277623909.32709.python-list(a)python.org>, Ian Kelly wrote: > On Sat, Jun 26, 2010 at 8:31 PM, Lawrence D'Oliveiro > <ldo(a)geek-central.gen.new_zealand> wrote: > >> Except I only needed two calls to SQLString, while you need two dozen >> instances of that repetitive items.c boilerplate. >> >> As a human, being repetitive is not my job. That's what the computer is >> for. > > Then why do you have every parameter prefixed with "modify_"? 8-) Touché :). Actually it's because the same form can be used to add a new record to the table, so there's a separate set of input fields for that. > But seriously, if that bothers you, then fold the "items.c." portion > into the generator expression with a getattr call. Or just change > them back to the same strings you had originally, and sqlalchemy will > be just as happy to accept them as-is. All this trouble, and it only gets rid of 2 of the 3 instances of data- escaping in the example.
From: Nobody on 27 Jun 2010 09:55
On Sun, 27 Jun 2010 14:36:10 +1200, Lawrence D'Oliveiro wrote: >> In any case, you're still trying to make arguments about whether it's easy >> or hard to get it right, which completely misses the point. Eliminating >> the escaping entirely makes it impossible to get it wrong. > > Except nobody has yet shown an alternative which is easier to get right. For SQL, use stored procedures or prepared statements. For HTML/XML, use a DOM (or similar) interface. |