0
What does %, %% represent
request.form['username'].replace('%', '%%') ^ ^ #This code was written in python 2.7 #This is the entire line
6 RĂ©ponses
+ 3
Well, you ask for somebody's user name and a user with bad intentions enters something like "bla'); DROP TABLE users;" and your precious data is gone. Don't know if it really works, but even the official docs say that string formatting with % shouldn't be used because of possible SQL injections
+ 7
I guess you're using the sqlite module.
First, never use string formats like << '%s' % variable >> with SQLite. It will make your code prone to SQL injections. Use SQLite's syntax instead: cur.execute('SELECT * FROM table WHERE variable=?;', (variable,)).
To answer your question: % has a special meaning in string formatting. %s is for a string, %d for an integer etc. If you actually want to use a percent sign in the string, you need to escape it by writing a double %%. I guess replacing every '%' with '%%' might be an attempt to prevent SQL injections, but it is by no means secure.
+ 5
It replaces a single % with a double %.
+ 1
Anna thank a lotttttđ
0
Anna how will that help in this code
cur.execute('SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%'))
0
Anna It was mariadb
And how can replacing an escape character help in preventing SQL injection
Sorry for the trouble đ