cannot concatenate 'str' and 'list' objects

[Íéêüëáïò Êïýñáò]

Hello,

I recently changed webhost and in the new one iam getting this error you can see if you visit http://superhost.gr when program execution reaches the line:

f = open( '../' + page )

In the previous host i wasn't getting this error.

page's contents is:

page = form.getvalue('page')

 

[Íéêüëáïò Êïýñáò]

Sorry the problem appears when you try to input data botton down the page in the text area boxes and click submit.

this is the error apperaing:

A problem occurred in a Python script. Here is the sequence of function calls leading up to the error, in the order they occurred.

/home/nikos/public_html/cgi-bin/counter.py in ()
56 # I would suggest using some kind of verification function to check that the value of 'page' is OK, before opening the file.
57
58 f = open( '../' + page )
59
60 # read first line of the file
f undefined, builtin open = <built-in function open>, page = ['index.html', 'index.html']
<type 'exceptions.TypeError'>: cannot concatenate 'str' and 'list' objects
args = ("cannot concatenate 'str' and 'list' objects",)
message = "cannot concatenate 'str' and 'list' objects"

 

[Chris Angelico]

Hello,

I recently changed webhost and in the new one iam getting this error you can see if you visit http://superhost.gr when program execution reaches theline:

f = open( '../' + page )

In the previous host i wasn't getting this error.

page's contents is:

page = form.getvalue('page')

Well, clearly '../' is a string (str), and page must be a list. But
without knowing your web framework it's hard to be sure what's going
on.

My guess is that form.getvalue() is returning a list of form elements
with that name, so you have a list with one element in it. But check
your documentation to be sure.

Since this changed when you changed hosts, it may mean you now have a
completely different framework. Possibly you can configure this.
Alternatively, it may simply be a different version of the same
system. It's hard to know just based on this, though.

ChrisA

 

[Íéêüëáïò Êïýñáò]

Ôç ÓÜââáôï, 15 Óåðôåìâñßïõ 2012 3:34:34 ì.ì. UTC+3, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:

Well, clearly '../' is a string (str), and page must be a list. But

without knowing your web framework it's hard to be sure what's going

on.



My guess is that form.getvalue() is returning a list of form elements

with that name, so you have a list with one element in it. But check

your documentation to be sure.



Since this changed when you changed hosts, it may mean you now have a

completely different framework. Possibly you can configure this.

Alternatively, it may simply be a different version of the same

system. It's hard to know just based on this, though.



ChrisA

Iam not using frameworks just plain python code written in Notepad++

Can you please tell me how to switch this line in order for this line to work?

 

[Íéêüëáïò Êïýñáò]

Ôç ÓÜââáôï, 15 Óåðôåìâñßïõ 2012 3:34:34 ì.ì. UTC+3, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:

Well, clearly '../' is a string (str), and page must be a list. But

without knowing your web framework it's hard to be sure what's going

on.



My guess is that form.getvalue() is returning a list of form elements

with that name, so you have a list with one element in it. But check

your documentation to be sure.



Since this changed when you changed hosts, it may mean you now have a

completely different framework. Possibly you can configure this.

Alternatively, it may simply be a different version of the same

system. It's hard to know just based on this, though.



ChrisA

Iam not using frameworks just plain python code written in Notepad++

Can you please tell me how to switch this line in order for this line to work?

 

[Chris Angelico]

Iam not using frameworks just plain python code written in Notepad++

Can you please tell me how to switch this line in order for this line to work?

f = open( '../' + page[0])

will possibly work. But do try to understand what's happening, rather
than simply solve the problem. You may find that something else has
changed too.

ChrisA

 

[Íéêüëáïò Êïýñáò]

Ôç ÓÜââáôï, 15 Óåðôåìâñßïõ 2012 4:38:51 ì.ì. UTC+3, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:

Iam not using frameworks just plain python code written in Notepad++

Can you please tell me how to switch this line in order for this line to work?

f = open( '../' + page[0])



will possibly work. But do try to understand what's happening, rather

than simply solve the problem. You may find that something else has

changed too.



ChrisA

i see you try to extract only the 1st element of the list, i tried that toobut it gives me now this weird message:

if you visit my website http://superhost.gr

 

[Íéêüëáïò Êïýñáò]

Ôç ÓÜââáôï, 15 Óåðôåìâñßïõ 2012 4:38:51 ì.ì. UTC+3, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:

Iam not using frameworks just plain python code written in Notepad++

Can you please tell me how to switch this line in order for this line to work?

f = open( '../' + page[0])



will possibly work. But do try to understand what's happening, rather

than simply solve the problem. You may find that something else has

changed too.



ChrisA

i see you try to extract only the 1st element of the list, i tried that toobut it gives me now this weird message:

if you visit my website http://superhost.gr

 

[Roy Smith]

i see you try to extract only the 1st element of the list, i tried that too
but it gives me now this weird message:

if you visit my website http://superhost.gr

Do you realize that the hosting service you're using (HostGator) is so
mis-configured that it is exposing your source code and credentials to
the entire world?

When I go to that URL, I get a page which includes the name of the CGI
script you are running (/home/nikos/public_html/cgi-bin/counter.py). I
can then do a GET on http://superhost.gr/~nikos/cgi-bin/counter.py, and
can see your script source code, including the credentials to attach to
your database:

conn = MySQLdb.connect( db = 'nikos_tech', host = 'localhost', user =
'nikos_nikos', passwd = <elided>)

How to properly configure a web server is way beyond the scope of this
mailing list, but you really need to do some research there to safeguard
your own data.

 

[Peter Otten]

Τη Σάββατο, 15 ΣεπτεμβÏίου 2012 4:38:51 μ.μ. UTC+3, ο χÏήστης Chris
Angelico έγÏαψε:

Iam not using frameworks just plain python code written in Notepad++

Can you please tell me how to switch this line in order for this line
to work?

f = open( '../' + page[0])



will possibly work. But do try to understand what's happening, rather

than simply solve the problem. You may find that something else has

changed too.



ChrisA

i see you try to extract only the 1st element of the list, i tried that
too but it gives me now this weird message:

if you visit my website http://superhost.gr

You seem to have encoding problems:
\xf4\xdd\xf4\xef\xe9\xef \xe1\xf1\xf7\xe5\xdf\xef \xde
\xea\xe1\xf4\xdc\xeb\xef\xe3\xef\xf2'.decode("iso-8859-7")
Δεν υπάÏχει τέτοιο αÏχείο ή κατάλογος

That doesn't look weird (I'd guess) for someone who knows Greek...

Proceeding to

http://superhost.gr/cgi-bin/counter.py?page=foo.html

versus

http://superhost.gr/cgi-bin/counter.py?page=foo.html&page=bar.html

it turns out that you get a list as the page variable only in the latter
case. So you might have provoked your initial problem by following a buggy
url with a duplicate page argument.

 

[Íéêüëáïò Êïýñáò]

Ôç ÓÜââáôï, 15 Óåðôåìâñßïõ 2012 5:21:22 ì.ì. UTC+3, ï ÷ñÞóôçò Roy Smith Ýãñáøå:

Do you realize that the hosting service you're using (HostGator) is so

mis-configured that it is exposing your source code and credentials to

the entire world?



When I go to that URL, I get a page which includes the name of the CGI

script you are running (/home/nikos/public_html/cgi-bin/counter.py). I

can then do a GET on http://superhost.gr/~nikos/cgi-bin/counter.py, and

can see your script source code, including the credentials to attach to

your database:



conn = MySQLdb.connect( db = 'nikos_tech', host = 'localhost', user=

'nikos_nikos', passwd = <elided>)



How to properly configure a web server is way beyond the scope of this

mailing list, but you really need to do some research there to safeguard

your own data.

I cant beleive that my source code can be seen form ANYONE this easily!!!!

I moved to HostGaot because i heard there were the best in the hosting business.....

 

[Chris Angelico]

Ôç ÓÜââáôï, 15 Óåðôåìâñßïõ 2012 5:21:22 ì.ì. UTC+3, ï ÷ñÞóôçò Roy Smith Ýãñáøå:

I cant beleive that my source code can be seen form ANYONE this easily!!!!

I moved to HostGaot because i heard there were the best in the hosting business.....

It's probably a simple misconfiguration that can be easily fixed. If
you don't yourself understand it, talk to HostGator support;
presumably you're paying them money for hosting, so they should be
both able and willing to help you sort that out.

I would recommend that you change your database password as soon as
that's done, lest someone "seize the day" and take control of your
database.

ChrisA

 

[Íéêüëáïò Êïýñáò]

in my case an .htaccess file gives redirects all html requests to /cgi-bin/counter.py by also provide as an argument to the counter.py script the initical html file request

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^/?(.+\.html) /cgi-bin/counter.py?page=$1 [L,PT,QSA]

so the latter you mentioned its not the case for me.
But iam wondering why this doesnt work on this server while on my previous host did.....

 

[Íéêüëáïò Êïýñáò]

in my case an .htaccess file gives redirects all html requests to /cgi-bin/counter.py by also provide as an argument to the counter.py script the initical html file request

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^/?(.+\.html) /cgi-bin/counter.py?page=$1 [L,PT,QSA]

so the latter you mentioned its not the case for me.
But iam wondering why this doesnt work on this server while on my previous host did.....

 

[Chris Angelico]

in my case an .htaccess file gives redirects all html requests to /cgi-bin/counter.py by also provide as an argument to the counter.py script the initical html file request

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^/?(.+\.html) /cgi-bin/counter.py?page=$1 [L,PT,QSA]

so the latter you mentioned its not the case for me.
But iam wondering why this doesnt work on this server while on my previous host did.....

Okay, now we're getting to a possible difference. Check if this is
properly working; perhaps HostGator don't let you use the rewrite
engine in .htaccess. Make sure your .htaccess is in the right
directory, too. I just tried a quick check and was greeted with a 404
page, so the rule you describe isn't active.

ChrisA

 

[Íéêüëáïò Êïýñáò]

Thank i will do that, ill inform the support right away!

 

[Íéêüëáïò Êïýñáò]

The .htaccess file works with HostGator because the page was working all day rediecting all html requests fine to the counter.py script.

Only when i tried to post data to the text area boxes this problem made its appearance.

 

[Roy Smith]

I cant beleive that my source code can be seen form ANYONE this easily!!!!

Which is why I pointed it out. I mean no disrespect, but you appear to
be in over your head. That's fine (we're all in over our heads at some
point, that's how we learn new things), but once you're running a server
on the Internet, the consequences of your actions become much more
severe.

I moved to HostGaot because i heard there were the best in the hosting
business.....

The hosting business means different things to different people. At one
end, there's places like WordPress and Tumblr which hide all the details
and let you pour content into a blog with some control over styling. At
the other end, there's places like AWS, Rackspace, etc, which give you a
raw (virtual) machine, and you're free to do anything you want on it.

In between, there's paces like HostGator, which give you a slice of a
shared host, and you're free to install cgi scripts under the control of
Apache. How much you get to play with the Apache configuration probably
varies wildly from provider to provider. It looks like HostGator either
has things mis-configured to allow your /cgi-bin directory to be
visible, or allows you the ability to configure those things yourself,
and you mis-configured it.

 

[Íéêüëáïò Êïýñáò]

Previous webhost has the same flaw as well, look:

http://www.errorweb.gr/~nikos/cgi-bin/

giving away all my scripts.

Webhost misconfiguration in both hosts!

 

[Chris Angelico]

Previous webhost has the same flaw as well, look:

http://www.errorweb.gr/~nikos/cgi-bin/

giving away all my scripts.

Webhost misconfiguration in both hosts!

And when I look at the scripts, I see things that do not fill me with
confidence. You appear to be reinventing the wheel, and making it
hexagonal in the process. That's not to say you shouldn't tinker with
wheel design now and then, but as Roy said, the consequences get quite
severe once you're hosting a web site to the world.

I've been guilty of the same sorts of issues myself. I was poking at
some old code today (code that dates back a few years to when I was
new to PHP and didn't know of any other way to make a dynamic web site
other than CGI) and found some pretty ridiculous coding bloopers.
Stuff that didn't stop the site's primary functionality from working,
but it sure isn't what I'd call good code. Some day I'll rewrite it
all... some day I'll have time available... anyway.

Your counter.py appears to be doing what most people do after the fact
with log-file analysis. It's usually a lot better to simply parse
Apache's log files to find out how many people view your pages, rather
than maintaining the statistics. This has a race condition in it:

# update existing visitor record if same pin and same host found
try:
cursor.execute( '''UPDATE visitors SET hits = hits + 1, agent = %s,
date = %s WHERE pin = %s AND host = %s''', (agent, date, pin, host))
except MySQLdb.Error, e:
print ( "Error %d: %s" % (e.args[0], e.args[1]) )

# insert new visitor record if above update did not affect a row
if cursor.rowcount == 0:
cursor.execute( '''INSERT INTO visitors(pin, host, hits, agent,
date) VALUES(%s, %s, %s, %s, %s)''', (pin, host, 1, agent, date) )


If two page loads simultaneously execute this code, they'll both fail
to update, and then both attempt to insert.

Also, it's extremely insecure to simply print your database errors.
Emit them to a separate log file that only you have access to, and
monitor that log while you're developing. Once you're done developing,
switch to an alert system if you can, because SQL errors should never
occur (obviously don't alert if there are specific errors that you
intend to cause and catch).

See if you can replace the whole mess of CGI scripts with flat HTML
files and AWStats. You'll have much more flexibility in hosting
company choice, less risk of security breaches, and much MUCH easier
management.

ChrisA