0

What does %, %% represent

request.form['username'].replace('%', '%%') ^ ^ #This code was written in python 2.7 #This is the entire line

2nd Jun 2019, 7:30 AM
‚Ä鬆‚ÄŹ‚ÄŹ‚ÄéAnonymous Guy
6 Réponses
+ 3
Well, you ask for somebody's user name and a user with bad intentions enters something like "bla'); DROP TABLE users;" and your precious data is gone. Don't know if it really works, but even the official docs say that string formatting with % shouldn't be used because of possible SQL injections
2nd Jun 2019, 6:32 PM
Anna
Anna - avatar
+ 7
I guess you're using the sqlite module. First, never use string formats like << '%s' % variable >> with SQLite. It will make your code prone to SQL injections. Use SQLite's syntax instead: cur.execute('SELECT * FROM table WHERE variable=?;', (variable,)). To answer your question: % has a special meaning in string formatting. %s is for a string, %d for an integer etc. If you actually want to use a percent sign in the string, you need to escape it by writing a double %%. I guess replacing every '%' with '%%' might be an attempt to prevent SQL injections, but it is by no means secure.
2nd Jun 2019, 9:29 AM
Anna
Anna - avatar
+ 5
It replaces a single % with a double %.
2nd Jun 2019, 8:16 AM
Anna
Anna - avatar
+ 1
Anna thank a lotttttūüėä
3rd Jun 2019, 1:39 AM
‚Ä鬆‚ÄŹ‚ÄŹ‚ÄéAnonymous Guy
0
Anna how will that help in this code cur.execute('SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%'))
2nd Jun 2019, 8:39 AM
‚Ä鬆‚ÄŹ‚ÄŹ‚ÄéAnonymous Guy
0
Anna It was mariadb And how can replacing an escape character help in preventing SQL injection Sorry for the trouble ūüėĀ
2nd Jun 2019, 5:50 PM
‚Ä鬆‚ÄŹ‚ÄŹ‚ÄéAnonymous Guy