[annotator-dev] Annotator store for MySQL

• Previous message: [annotator-dev] Annotator store for MySQL
• Next message: [annotator-dev] Annotator store for MySQL
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well that was rather rude of me. I saw a "%s" and reacted viscerally.
It looks like I might be completely wrong, though. While I'm not
totally familiar with the MySQLdb module, I guess the
cur.execute("select from ... where id = %s", _id) pattern isn't
sql-injection susceptible.

My apologies,
N

P.S. Although understanding what SQL injection is and knowing how to
defend against it are still obviously good things!

On Sat, Oct 20, 2012 at 12:20 AM, Nick Stenning <nick at whiteink.com> wrote:
> Johnny,
>
> It's great that you're looking into running Annotator on an SQL data
> store. I've had a quick look at the files you sent over, and I cannot
> recommend strongly enough that you read up on SQL injection attacks,
> and how to protect your applications from them. Your code is trivially
> susceptible to this kind of exploit, and I'd suggest you're very
> careful about where you use it.
>
> Best wishes -- not intending to be a total spoilsport,
> Nick
>
> On Fri, Oct 19, 2012 at 11:26 AM, johnny jiang
> <johnny.nan.jiang at gmail.com> wrote:
>> Hi folks,
>>
>> Here you go all the files required to get the annotator datastore working
>> with MySQL.
>>
>> Please refer to readme.txt for instructions, please feel free to let me know
>> if any questions.
>>
>> Kind regards,
>> Johnny
>>
>>
>> On Wed, Oct 17, 2012 at 4:17 AM, Randall Leeds <tilgovi at hypothes.is> wrote:
>>>
>>> On Tue, Oct 16, 2012 at 7:06 AM, Rufus Pollock <rufus.pollock at okfn.org>
>>> wrote:
>>> > Definitely interested. If we could use SQLAlchemy for this (we had an
>>> > sql version before) then we should be able to switch the exact RDBMS
>>> > pretty easily!
>>>
>>> Very interested as well.
>>>
>>> >
>>> > Rufus
>>> >
>>> > On 16 October 2012 12:53, johnny jiang <johnny.nan.jiang at gmail.com>
>>> > wrote:
>>> >> Hi guys,
>>> >>
>>> >> Recently we've completed migrating Annotator store from elasticsearch +
>>> >> python to MySQL (still needs elasticsearch and python, just use MySQL
>>> >> as
>>> >> data store), I was wondering if anyone is interested in it so I'm happy
>>> >> to
>>> >> share it?
>>> >>
>>> >> Kind regards,
>>> >> Johnny
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> annotator-dev mailing list
>>> >> annotator-dev at lists.okfn.org
>>> >> http://lists.okfn.org/mailman/listinfo/annotator-dev
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > Co-Founder, Open Knowledge Foundation
>>> > Promoting Open Knowledge in a Digital Age
>>> > http://www.okfn.org/ - http://blog.okfn.org/
>>> >
>>> > _______________________________________________
>>> > annotator-dev mailing list
>>> > annotator-dev at lists.okfn.org
>>> > http://lists.okfn.org/mailman/listinfo/annotator-dev
>>
>>
>>
>> _______________________________________________
>> annotator-dev mailing list
>> annotator-dev at lists.okfn.org
>> http://lists.okfn.org/mailman/listinfo/annotator-dev
>>

• Previous message: [annotator-dev] Annotator store for MySQL
• Next message: [annotator-dev] Annotator store for MySQL
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]