[英]Storing HTML source code in python variable
Here is the code I'm using : 这是我正在使用的代码:
import urllib2
import psycopg2
add = 'http://google.com'
res = urllib2.urlopen(add)
url_html = res.read()
con = psycopg2.connect(user='postgres',password='test_pwd',host='localhost',port=5432,database='test_db')
cur = con.cursor()
cur.execute("INSERT INTO output(output) values ('%r')" %(url_html))
#cur.execute("INSERT INTO output(output) values ('''%s''')" %(url_html))
con.commit()
Now its throwing an error because of ' ' as quotes are inside the page's source code too. 现在由于“”而引发了错误,因为引号也位于页面的源代码中。 Can anybody help me out with this.
有人可以帮我这个忙吗? Thanks for your help.
谢谢你的帮助。
You should always escape database input, even if you're just downloading HTML from a web page, or you're making yourself vulnerable to SQL Injection. 即使您只是从网页上下载HTML,或者使自己容易受到SQL注入的攻击,您都应该始终避免数据库输入。 What if someone puts a
drop table
command in the HTML? 如果有人在HTML中放置
drop table
命令怎么办? You might end up executing it. 您可能最终执行它。 Also, in your case escaping will actually solve your problem.
另外,在您的情况下,转义实际上可以解决您的问题。
In psycopg2
you can escape parameters like this: 在
psycopg2
您可以像这样转义参数:
cur.execute("INSERT INTO test (num, data) VALUES (%s, %s)", (100, "abc'def"))
(shamelessly stolen from http://initd.org/psycopg/docs/usage.html ) cur.execute("INSERT INTO test (num, data) VALUES (%s, %s)", (100, "abc'def"))
(从http://initd.org/psycopg/docs/usage无耻地被盗.html )
Read more about SQL Injection: What is SQL injection? 阅读有关SQL注入的更多信息: 什么是SQL注入?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.