What does %, %% represent

request.form['username'].replace('%', '%%') ^ ^ #This code was written in python 2.7 #This is the entire line

2nd Jun 2019, 7:30 AM

‎ ‏‏‎Anonymous Guy

6 Respuestas

+ 3

Well, you ask for somebody's user name and a user with bad intentions enters something like "bla'); DROP TABLE users;" and your precious data is gone. Don't know if it really works, but even the official docs say that string formatting with % shouldn't be used because of possible SQL injections

2nd Jun 2019, 6:32 PM

Anna

+ 7

I guess you're using the sqlite module. First, never use string formats like << '%s' % variable >> with SQLite. It will make your code prone to SQL injections. Use SQLite's syntax instead: cur.execute('SELECT * FROM table WHERE variable=?;', (variable,)). To answer your question: % has a special meaning in string formatting. %s is for a string, %d for an integer etc. If you actually want to use a percent sign in the string, you need to escape it by writing a double %%. I guess replacing every '%' with '%%' might be an attempt to prevent SQL injections, but it is by no means secure.

2nd Jun 2019, 9:29 AM

Anna

+ 5

It replaces a single % with a double %.

2nd Jun 2019, 8:16 AM

Anna

+ 1

Anna thank a lottttt😊

3rd Jun 2019, 1:39 AM

‎ ‏‏‎Anonymous Guy

Anna how will that help in this code cur.execute('SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%'))

2nd Jun 2019, 8:39 AM