0

Here is the code I'm using :

import urllib2
import psycopg2

add = 'http://google.com'
res = urllib2.urlopen(add)
url_html = res.read()
con = psycopg2.connect(user='postgres',password='test_pwd',host='localhost',port=5432,database='test_db')
cur = con.cursor()
cur.execute("INSERT INTO output(output) values ('%r')" %(url_html))
#cur.execute("INSERT INTO output(output) values ('''%s''')" %(url_html))
con.commit()

Now its throwing an error because of ' ' as quotes are inside the page's source code too. Can anybody help me out with this. Thanks for your help.

ralh
  • 2,284
  • 10
  • 17
Prashant Shukla
  • 634
  • 6
  • 17

1 Answers1

1

You should always escape database input, even if you're just downloading HTML from a web page, or you're making yourself vulnerable to SQL Injection. What if someone puts a drop table command in the HTML? You might end up executing it. Also, in your case escaping will actually solve your problem.

In psycopg2 you can escape parameters like this:

cur.execute("INSERT INTO test (num, data) VALUES (%s, %s)", (100, "abc'def")) (shamelessly stolen from http://initd.org/psycopg/docs/usage.html)

Read more about SQL Injection: What is SQL injection?

Community
  • 1
  • 1
ralh
  • 2,284
  • 10
  • 17
  • make a single item tuple in Python you need a comma otherwise solution was perfect {cur.execute("INSERT INTO test (num, data) VALUES (%s, %s)", (100, "abc'def",))} – Prashant Shukla Oct 08 '15 at 07:42
  • In my example the tuple has two values, so no additional comma is needed. There already is one between the two values. But in your own case you would indeed need a comma. – ralh Oct 08 '15 at 07:45
  • Right their you are my bad , Also I'm aware of the consequences it is for R&D purpose. Thanks for your help – Prashant Shukla Oct 08 '15 at 07:45