Skip to content
    • Welcome to the Linux Foundation Forum!

    Typo in example in in *Calling Other Programs: Injection and Filenames / When Parameterized Statem

    Posts: 1
    in LFD121 Class Forum

    If found a typo in Calling Other Programs: Injection and Filenames / When Parameterized Statements Won't Work

    Quotes should not be in this example

    1. table_name_untrusted = request.get("table_name") # This is untrusted, don't put this directly in the query!
    2. ...

    ie the correct version is

    1. table_name_untrusted = request.get(table_name) # This is untrusted, don't put this directly in the query!
    2. ...

    Because table_name is a variable that contains the table's actual name.

    Then, the example provides a safer way to select a particular table.

    What do you think.
    Vitek

    Welcome!

    It looks like you're new here. Sign in or register to get started.
    Sign In

    Welcome!

    It looks like you're new here. Sign in or register to get started.
    Sign In

    Quick Links

    Categories

    Upcoming Training