i Don't get why it makes trouble

Discussion in 'Python' started by azrael, Aug 13, 2009.

  1. azrael

    azrael Guest

    >>> j
    [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna']
    >>> len(j)

    5
    >>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija, d.id_drzava, v.id_valuta FROM ulica as u, opcina as o, zupanija as z, drzava as d, valuta as v WHERE u.naziv = '%s' AND o.naziv = '%s' AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv = '%s'""" % (j)

    Traceback (most recent call last):
    File "<string>", line 1, in <string>
    TypeError: not enough arguments for format string


    I want to format the string. the list has five elements and the string
    has five placeholder but it wont format the string
     
    azrael, Aug 13, 2009
    #1
    1. Advertising

  2. 13-08-2009 azrael <> wrote:

    >>>> j

    > [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna']
    >>>> len(j)

    > 5
    >>>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija,
    >>>> d.id_drzava, v.id_valuta FROM ulica as u, opcina as o, zupanija as
    >>>> z, drzava as d, valuta as v WHERE u.naziv = '%s' AND o.naziv = '%s'
    >>>> AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv = '%s'""" % (j)

    > Traceback (most recent call last):
    > File "<string>", line 1, in <string>
    > TypeError: not enough arguments for format string
    >
    >
    > I want to format the string. the list has five elements and the string
    > has five placeholder but it wont format the string


    j must be a tuple -- so either define it as

    (u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna')

    or when using it, wrap it with tuple() constructor:

    h = """...........""" % tuple(j)

    --
    Jan Kaliszewski (zuo) <>
     
    Jan Kaliszewski, Aug 13, 2009
    #2
    1. Advertising

  3. Me wrote:

    > 13-08-2009 azrael <> wrote:
    >
    >>>>> j

    >> [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna']
    >>>>> len(j)

    >> 5
    >>>>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija,
    >>>>> d.id_drzava, v.id_valuta FROM ulica as u, opcina as o, zupanija as
    >>>>> z, drzava as d, valuta as v WHERE u.naziv = '%s' AND o.naziv =
    >>>>> '%s' AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv = '%s'""" %
    >>>>> (j)

    >> Traceback (most recent call last):
    >> File "<string>", line 1, in <string>
    >> TypeError: not enough arguments for format string
    >>
    >>
    >> I want to format the string. the list has five elements and the string
    >> has five placeholder but it wont format the string

    >
    > j must be a tuple -- so either define it as

    [snip]

    PS. If you use Python 2.6 or newer, better use .format() method
    (then you can use also a list):

    >>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija, \

    .... d.id_drzava, v.id_valuta FROM ulica as u, opcina as o, zupanija as \
    .... z, drzava as d, valuta as v WHERE u.naziv = '{0}' AND o.naziv = \
    .... '{1}' AND z.naziv = '{2}' AND d.naziv = '{3}' AND v.naziv = '{4}'\
    .... """.format(*j)


    Cheers,
    *j

    --
    Jan Kaliszewski (zuo) <>
     
    Jan Kaliszewski, Aug 13, 2009
    #3
  4. azrael

    azrael Guest

    On 13 kol, 21:12, "Jan Kaliszewski" <> wrote:
    > Me wrote:
    > > 13-08-2009 azrael <> wrote:

    >
    > >>>>> j
    > >> [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna']
    > >>>>> len(j)
    > >> 5
    > >>>>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija,  
    > >>>>> d.id_drzava, v.id_valuta FROM   ulica as u, opcina as o, zupanija as  
    > >>>>> z, drzava as d, valuta as v  WHERE  u.naziv = '%s' AND o.naziv =  
    > >>>>> '%s' AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv = '%s'""" %  
    > >>>>> (j)
    > >> Traceback (most recent call last):
    > >>   File "<string>", line 1, in <string>
    > >> TypeError: not enough arguments for format string

    >
    > >> I want to format the string. the list has five elements and the string
    > >> has five placeholder but it wont format the string

    >
    > > j must be a tuple -- so either define it as

    >
    > [snip]
    >
    > PS. If you use Python 2.6 or newer, better use .format() method
    > (then you can use also a list):
    >
    > >>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija, \

    >
    > ... d.id_drzava, v.id_valuta FROM   ulica as u, opcina as o, zupanija as \
    > ... z, drzava as d, valuta as v  WHERE  u.naziv = '{0}' AND o.naziv = \
    > ... '{1}' AND z.naziv = '{2}' AND d.naziv = '{3}' AND v.naziv = '{4}'\
    > ... """.format(*j)
    >
    > Cheers,
    > *j
    >
    > --
    > Jan Kaliszewski (zuo) <>


    Thanks Worked fine for me. I was a freakin idiot. I forgot about using
    a tuple. damn lists :D

    Thanks for the debuginig of my thoughts and actions.

    thnx
     
    azrael, Aug 13, 2009
    #4
  5. On Aug 13, 2009, at 2:56 PM, azrael wrote:

    >>>> j

    > [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna']
    >>>> len(j)

    > 5
    >>>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija,
    >>>> d.id_drzava, v.id_valuta FROM ulica as u, opcina as o, zupanija
    >>>> as z, drzava as d, valuta as v WHERE u.naziv = '%s' AND o.naziv
    >>>> = '%s' AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv =
    >>>> '%s'""" % (j)

    > Traceback (most recent call last):
    > File "<string>", line 1, in <string>
    > TypeError: not enough arguments for format string


    Hi azrael,
    You already have an answer to your question so I won't address that. I
    want to point out that this is a dangerous way to build SQL statements.

    For instance, what happens if someone enters a city name of L'viv?
    Your SQL will break due to mismatched single quotes. This kind of code
    is vulnerable to SQL injection attacks:
    http://en.wikipedia.org/wiki/SQL_injection

    Parameterized SQL is safer. Googling for 'parameterized SQL Python'
    should find some examples for you.

    Good luck
    Philip
     
    Philip Semanchuk, Aug 13, 2009
    #5
  6. azrael

    azrael Guest

    On 13 kol, 22:09, Philip Semanchuk <> wrote:
    > On Aug 13, 2009, at 2:56 PM, azrael wrote:
    >
    > >>>> j

    > > [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna']
    > >>>> len(j)

    > > 5
    > >>>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija,  
    > >>>> d.id_drzava, v.id_valuta FROM   ulica as u, opcina as o, zupanija  
    > >>>> as z, drzava as d, valuta as v  WHERE  u.naziv = '%s' AND o.naziv  
    > >>>> = '%s' AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv =  
    > >>>> '%s'""" % (j)

    > > Traceback (most recent call last):
    > >  File "<string>", line 1, in <string>
    > > TypeError: not enough arguments for format string

    >
    > Hi azrael,
    > You already have an answer to your question so I won't address that. I  
    > want to point out that this is a dangerous way to build SQL statements.
    >
    > For instance, what happens if someone enters a city name of L'viv?  
    > Your SQL will break due to mismatched single quotes. This kind of code  
    > is vulnerable to SQL injection attacks:http://en.wikipedia.org/wiki/SQL_injection
    >
    > Parameterized SQL is safer. Googling for 'parameterized SQL Python'  
    > should find some examples for you.
    >
    > Good luck
    > Philip


    I know Already. This is sopussed to be a small office application
    connecting on a LAN mysql server with no web connection. Thank you
    anyway
     
    azrael, Aug 13, 2009
    #6
  7. On Aug 13, 2009, at 6:00 PM, azrael wrote:

    > On 13 kol, 22:09, Philip Semanchuk <> wrote:
    >> On Aug 13, 2009, at 2:56 PM, azrael wrote:
    >>
    >>>>>> j
    >>> [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna']
    >>>>>> len(j)
    >>> 5
    >>>>>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija,
    >>>>>> d.id_drzava, v.id_valuta FROM ulica as u, opcina as o, zupanija
    >>>>>> as z, drzava as d, valuta as v WHERE u.naziv = '%s' AND o.naziv
    >>>>>> = '%s' AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv =
    >>>>>> '%s'""" % (j)
    >>> Traceback (most recent call last):
    >>> File "<string>", line 1, in <string>
    >>> TypeError: not enough arguments for format string

    >>
    >> Hi azrael,
    >> You already have an answer to your question so I won't address
    >> that. I
    >> want to point out that this is a dangerous way to build SQL
    >> statements.
    >>
    >> For instance, what happens if someone enters a city name of L'viv?
    >> Your SQL will break due to mismatched single quotes. This kind of
    >> code
    >> is vulnerable to SQL injection attacks:http://en.wikipedia.org/wiki/SQL_injection
    >>
    >> Parameterized SQL is safer. Googling for 'parameterized SQL Python'
    >> should find some examples for you.
    >>
    >> Good luck
    >> Philip

    >
    > I know Already. This is sopussed to be a small office application
    > connecting on a LAN mysql server with no web connection. Thank you
    > anyway


    You're welcome. I'm glad you are aware. You're ahead of a lot of
    developers out there.

    I encourage you to at least think about using parameterized SQL anyway
    because you never know when someone (maybe even you!) will copy &
    paste your code, or use your library without realizing that it was
    "internal use only". It's usually just as easy as building SQL strings
    anyway.

    And besides, what about L'viv? =)

    Good luck with whatever choice you make
    Philip
     
    Philip Semanchuk, Aug 13, 2009
    #7
  8. azrael

    azrael Guest

    On 14 kol, 00:14, Philip Semanchuk <> wrote:
    > On Aug 13, 2009, at 6:00 PM, azrael wrote:
    >
    >
    >
    >
    >
    > > On 13 kol, 22:09, Philip Semanchuk <> wrote:
    > >> On Aug 13, 2009, at 2:56 PM, azrael wrote:

    >
    > >>>>>> j
    > >>> [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna']
    > >>>>>> len(j)
    > >>> 5
    > >>>>>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija,
    > >>>>>> d.id_drzava, v.id_valuta FROM   ulica as u, opcina as o, zupanija
    > >>>>>> as z, drzava as d, valuta as v  WHERE  u.naziv = '%s' AND o.naziv
    > >>>>>> = '%s' AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv =
    > >>>>>> '%s'""" % (j)
    > >>> Traceback (most recent call last):
    > >>>  File "<string>", line 1, in <string>
    > >>> TypeError: not enough arguments for format string

    >
    > >> Hi azrael,
    > >> You already have an answer to your question so I won't address  
    > >> that. I
    > >> want to point out that this is a dangerous way to build SQL  
    > >> statements.

    >
    > >> For instance, what happens if someone enters a city name of L'viv?
    > >> Your SQL will break due to mismatched single quotes. This kind of  
    > >> code
    > >> is vulnerable to SQL injection attacks:http://en.wikipedia.org/wiki/SQL_injection

    >
    > >> Parameterized SQL is safer. Googling for 'parameterized SQL Python'
    > >> should find some examples for you.

    >
    > >> Good luck
    > >> Philip

    >
    > > I know Already. This is sopussed to be a small office application
    > > connecting on a LAN mysql server with no web connection. Thank you
    > > anyway

    >
    > You're welcome. I'm glad you are aware. You're ahead of a lot of  
    > developers out there.
    >
    > I encourage you to at least think about using parameterized SQL anyway  
    > because you never know when someone (maybe even you!) will copy &  
    > paste your code, or use your library without realizing that it was  
    > "internal use only". It's usually just as easy as building SQL strings  
    > anyway.
    >
    > And besides, what about L'viv? =)
    >
    > Good luck with whatever choice you make
    > Philip


    Currently I am working on just a prototype to show what is possible to
    be done to get me some fundings for my future work. after that I will
    get over to an SQL Alchemy. It's ORM will take over this business for
    me.

    A lot of people a not aware of SQL injection. My friend from college
    asked me and a couple of other guys for Pen testing of an website. His
    SQL injection mistake made him an epic fail.

    Thanks
     
    azrael, Aug 14, 2009
    #8
  9. azrael

    Terry Reedy Guest

    azrael wrote:

    > Thanks Worked fine for me. I was a freakin idiot. I forgot about using
    > a tuple. damn lists :D


    The special casing of tuples versus other sequence objects with %
    formatting, and the forgetting and mistake making of multiple people is
    one of the reasons for the new .format system. Any sequence can either
    be passed and printed as a single object or *unrolled as multiple objects.

    tjr
     
    Terry Reedy, Aug 14, 2009
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mr. SweatyFinger

    why why why why why

    Mr. SweatyFinger, Nov 28, 2006, in forum: ASP .Net
    Replies:
    4
    Views:
    909
    Mark Rae
    Dec 21, 2006
  2. Mr. SweatyFinger
    Replies:
    2
    Views:
    1,996
    Smokey Grindel
    Dec 2, 2006
  3. Neroku
    Replies:
    6
    Views:
    10,223
    Chris Uppal
    Feb 8, 2007
  4. jalkadir
    Replies:
    2
    Views:
    379
  5. '2+
    Replies:
    3
    Views:
    570
Loading...

Share This Page