Welcome to the Linux Foundation Forum!

Typo in example in in *Calling Other Programs: Injection and Filenames / When Parameterized Statem

If found a typo in Calling Other Programs: Injection and Filenames / When Parameterized Statements Won't Work

Quotes should not be in this example

table_name_untrusted = request.get("table_name") # This is untrusted, don't put this directly in the query!
...

ie the correct version is

table_name_untrusted = request.get(table_name) # This is untrusted, don't put this directly in the query!
...

Because table_name is a variable that contains the table's actual name.

Then, the example provides a safer way to select a particular table.

What do you think.
Vitek

Categories

Upcoming Training