From: Steve F. <sf...@ih...> - 2002-06-27 18:54:22
|
The htmlEncode() method, as I recently discovered thanks to Ian, is good to use to prevent malicious inputs from being undesirably reproduced in web pages. Storing inputs in a SQL database presents the same kind of challenge, especially because SQL injection attacks are such nasty things. Do y'all feel that using htmlEncode() on incoming data to be included in a SQL query is an effective solution to that problem? Steve |
From: Charles C. <we...@di...> - 2002-06-27 19:00:42
|
Steve Freitas <sf...@ih...> wrote: > > Do y'all feel that using htmlEncode() on incoming data to be included in a > SQL query is an effective solution to that problem? No. As you noted, it's useful for preventing HTML markup in input from affecting the rendering of an HTML page. To protect against SQL injection attacks, do SQL-escaping. The precise characters you need to worry about depend on what RDBMS you use, but '"', "'", and ";" are the common ones. Charles -- ----------------------------------------------------------------------- Charles Cazabon <we...@di...> GPL'ed software available at: http://www.qcc.ca/~charlesc/software/ ----------------------------------------------------------------------- |
From: Ian B. <ia...@co...> - 2002-06-27 19:04:16
|
No, definitely not. The most important character to quote in a SQL statement is ', and that isn't quoted by htmlEncode. You should use a different quoter. Database adapters usually have some sort of quoting built in. But here's what I use: _sqlQuoteRE = re.compile("'") def sqlQuote(value): """ Quote a value for insertion as a SQL value. Puts ' around strings, nothing around numbers, turns None into NULL, and turns arrays into (<quoted values>, ...) """ if type(value) is type(""): return "'%s'" % _sqlQuoteRE.sub("\\'", str(value)) elif value is None: return "NULL" elif type(value) is type(()) or \ type(value) is type([]): return "(" + string.join(map(sqlQuote, value), ", ") + ")" elif type(value) is type(1) or \ type(value) is type(1L): return "%i" % value elif type(value) is type(1.0): return str(value) elif isinstance(value, SQLExpression): return value.sqlRepr() elif type(value) is DateTimeType: return "'%s'" % isoStr(value) else: raise ValueError, "Unknown type to quote: %s for %s" % \ (type(value), repr(value)) (note, this quotes Python types and adds quotes around strings, so the string "what's up" becomes "'what\\'s up'") On Thu, 2002-06-27 at 13:54, Steve Freitas wrote: > The htmlEncode() method, as I recently discovered thanks to Ian, is good to > use to prevent malicious inputs from being undesirably reproduced in web > pages. Storing inputs in a SQL database presents the same kind of challenge, > especially because SQL injection attacks are such nasty things. > > Do y'all feel that using htmlEncode() on incoming data to be included in a > SQL query is an effective solution to that problem? > > Steve > > > > ------------------------------------------------------- > Sponsored by: > ThinkGeek at http://www.ThinkGeek.com/ > _______________________________________________ > Webware-discuss mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/webware-discuss > |
From: <ir...@ms...> - 2002-06-27 19:38:21
|
On Thu, Jun 27, 2002 at 11:54:18AM -0700, Steve Freitas wrote: > The htmlEncode() method, as I recently discovered thanks to Ian, is good to > use to prevent malicious inputs from being undesirably reproduced in web > pages. Storing inputs in a SQL database presents the same kind of challenge, > especially because SQL injection attacks are such nasty things. > > Do y'all feel that using htmlEncode() on incoming data to be included in a > SQL query is an effective solution to that problem? For MySQL: s = MySQLdb.encode(s) # String. or easier: sql = "SELECT a, b FROM c WHERE d = %(d_value)s AND e = %(e_value)s" dic = {'d_value': ..., 'e_value': ...} c.execute(sql, dic) # Cursor object. I haven't used pgdb (Postgres) much, but it seems to do the second thing too. You may have to do a bit more quoting (e.g., around the placeholders in the query string). -- -Mike (Iron) Orr, ir...@ms... (if mail problems: ms...@oz...) http://iron.cx/ English * Esperanto * Russkiy * Deutsch * Espan~ol |
From: Jeff J. <je...@je...> - 2002-06-27 20:06:49
|
I'm using extraPath now with some success and I found that it breaks relative URLs to images. I tried to come up with a patch but haven't had much luck yet. My short term solution was to change all my relative URLs to full URLs but when the page is displayed on HTTPS, it complains that the graphics are not secure. I could put some code in to figure out the correct full URL on the fly but I figure it would be better to make the patch. Has anyone else solved this problem already? If a servlet, myservlet.py, has '<img src="images/button.gif">', and the URL for the page is http://www.x.com/myservlet.py/state/FL/city/Miami, the image URL will be http://www.x.com/myservlet.py/state/FL/city/images/button.gif. Regards, Jeff |
From: Tavis R. <ta...@re...> - 2002-06-27 20:16:49
|
Jeff, there's no way around this. Browsers have no idea that the url path cont= ains=20 extraPath so they calculate relative paths from the url path. You have t= o=20 either use absolute paths or include a <base> tag in your html output. Tavis On June 27, 2002 12:59 pm, Jeff Johnson wrote: > I'm using extraPath now with some success and I found that it breaks > relative URLs to images. I tried to come up with a patch but haven't > had much luck yet. My short term solution was to change all my relativ= e > URLs to full URLs but when the page is displayed on HTTPS, it complains > that the graphics are not secure. I could put some code in to figure > out the correct full URL on the fly but I figure it would be better to > make the patch. Has anyone else solved this problem already? > > If a servlet, myservlet.py, has '<img src=3D"images/button.gif">', and = the > URL for the page is http://www.x.com/myservlet.py/state/FL/city/Miami, > the image URL will be > http://www.x.com/myservlet.py/state/FL/city/images/button.gif. > > Regards, > Jeff > > > > > ------------------------------------------------------- > Sponsored by: > ThinkGeek at http://www.ThinkGeek.com/ > _______________________________________________ > Webware-discuss mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/webware-discuss |
From: Jeff J. <je...@je...> - 2002-06-27 20:20:58
|
> Jeff, > there's no way around this. Browsers have no idea that the > url path contains > extraPath so they calculate relative paths from the url path. > You have to > either use absolute paths or include a <base> tag in your > html output. Tavis Ah, now it makes sense. On Cold Fusion I use a tag for extraPath that someone else wrote and it throws a <base> tag in. I never really knew why. Thanks Tavis! |
From: Jeff J. <je...@je...> - 2002-06-28 16:38:55
|
> Jeff, > there's no way around this. Browsers have no idea that the url path contains > extraPath so they calculate relative paths from the url path. You have to > either use absolute paths or include a <base> tag in your html output. > Tavis Before I put this code live, can anyone see a problem with it or suggest improvements? It seems to work pretty well. I call it from writeHeadParts(). def writeBaseTag(self): try: req = self.request() if len(req.extraURLPath()): d = req.serverDictionary() if d.get("HTTPS","") == "on": protocol = "https" else: protocol = "http" baseHref = "%s://%s%s/" % (protocol, d['HTTP_HOST'], d['SCRIPT_NAME']) self.writeln('\n<base href="%s">\n' % baseHref) except: pass Thanks, Jeff |
From: Karl P. <ka...@pu...> - 2002-06-30 20:22:29
|
Hello All, Using Webware 0.7 w/ PostgreSQL 7.2.1 and a hacked PyDO. RH7.2, Apache, WebKit.cgi Development was moving right along untill... We inserted 838 rows for testing. When we select small subset of the records, everything seems to work. But, If we select the entire set of records, and try to display them the AppServer pukes without meaningful error. I've included the console output from one of our developers. I've checked the error messages, the apache logs and the webware logs. This really hurts our efforts. If anyone has ideas, suggestions, solutions, PLEASE help. If there needs to be more debugging, please let me know where to turn it on. Are there OS limits that would affect webware? -- Karl Putland Director of Technical Operations ShipEze Inc [lvanhelden@mercury webware]$ ./AppServer WebKit AppServer 0.7 part of Webware for Python Copyright 1999-2001 by Chuck Esterbrook. All Rights Reserved. WebKit and Webware are open source. Please visit: http://webware.sourceforge.net Process id is 21840 Date/time is Sun Jun 30 14:01:43 2002 CheckInterval = 100 Host = 127.0.0.1 MaxServerThreads = 20 MinServerThreads = 5 PlugInDirs = ['/var/www/webware/Webware'] PlugIns = [] Port = 80086 PrintConfigAtStartUp = 1 StartServerThreads = 10 Verbose = 1 ActivityLogColumns = ['request.remoteAddress', 'request.method', 'request.uri', 'response.size', 'servlet.name', 'request.timeStamp', 'transaction.duration', 'transaction.errorOccurred'] ActivityLogFilename = /home/lvanhelden/projects/shipeze/shipit/webware/Logs/Activity.csv AdminPassword = admin CacheServletClasses = 1 CacheServletInstances = 1 ClearPSPCacheOnStart = 1 Contexts = {'default': 'MyContext', 'Testing': '/var/www/webware/Webware/WebKit/Testing', 'Examples': '/var/www/webware/Webware/WebKit/Examples', 'Admin': '/var/www/webware/Webware/WebKit/Admin', 'Docs': '/var/www/webware/Webware/WebKit/Docs', 'shipit': 'Contexts/shipit', 'MyContext': 'MyContext'} Debug = {'Sessions': 0} DirectoryFile = ['index', 'Index', 'main', 'Main'] DynamicSessionTimeout = 15 EmailErrorReportAsAttachment = 0 EmailErrors = 0 ErrorEmailHeaders = {'To': ['-@-.com'], 'Reply-to': '-@-.com', 'From': '-@-.com', 'Content-type': 'text/html', 'Subject': '[WebKit Error]'} ErrorEmailServer = mail.-.com ErrorLogFilename = /home/lvanhelden/projects/shipeze/shipit/webware/Logs/Errors.csv ErrorMessagesDir = /home/lvanhelden/projects/shipeze/shipit/webware/ErrorMsgs ExtensionCascadeOrder = ['.py', '.psp', '.html'] ExtensionsToIgnore = ['.pyc', '.pyo', '.py~', '.psp~', '.html~', '.bak'] ExtensionsToServe = [] ExtraPathInfo = 0 FancyTracebackContext = 5 FilesToHide = ['.*', '*~', '*.bak', '*.tmpl', '*.config', '__init__.*', '*.pyc', '*.pyo'] FilesToServe = [] IgnoreInvalidSession = 1 IncludeFancyTraceback = 0 LogActivity = 0 MaxDynamicMemorySessions = 10000 PrintConfigAtStartUp = 1 RPCExceptionReturn = traceback SaveErrorMessages = 1 SessionPrefix = None SessionStore = Dynamic SessionTimeout = 60 ShowDebugInfoOnErrors = 1 UnknownFileTypes = {'CheckDate': 1, 'Technique': 'serveContent', 'CacheContent': 1, 'ReuseServlets': 1} UseAutomaticPathSessions = 0 UseCascadingExtensions = 1 UserErrorMessage = The site is having technical difficulties with this page. An error has been logged, and the problem will be fixed as soon as possible. Sorry! Loading context: Testing at /var/www/webware/Webware/WebKit/Testing Loading context: Examples at /var/www/webware/Webware/WebKit/Examples Loading context: Admin at /var/www/webware/Webware/WebKit/Admin Loading context: Docs at /var/www/webware/Webware/WebKit/Docs Loading context: shipit at /home/lvanhelden/projects/shipeze/shipit/webware/Contexts/shipit Loading context: MyContext at /home/lvanhelden/projects/shipeze/shipit/webware/MyContext Current directory: /home/lvanhelden/projects/shipeze/shipit/webware Session Sweeper started Plug-ins list: /var/www/webware/Webware/COMKit, /var/www/webware/Webware/MiddleKit, /var/www/webware/Webware/MiscUtils, /var/www/webware/Webware/PSP, /var/www/webware/Webware/TaskKit, /var/www/webware/Webware/UserKit, /var/www/webware/Webware/WebUtils, /var/www/webware/Webware/FormKit Loading plug-in: COMKit at /var/www/webware/Webware/COMKit Plug-in /var/www/webware/Webware/COMKit cannot be loaded because: Required op sys is ['nt'], but actual op sys is posix. Loading plug-in: MiddleKit at /var/www/webware/Webware/MiddleKit Loading context: MKBrowser at /var/www/webware/Webware/MiddleKit/WebBrowser Loading plug-in: MiscUtils at /var/www/webware/Webware/MiscUtils Loading plug-in: PSP at /var/www/webware/Webware/PSP Loading context: PSPExamples at /var/www/webware/Webware/PSP/Examples Loading plug-in: TaskKit at /var/www/webware/Webware/TaskKit Loading plug-in: UserKit at /var/www/webware/Webware/UserKit Loading plug-in: WebUtils at /var/www/webware/Webware/WebUtils Loading plug-in: FormKit at /var/www/webware/Webware/FormKit Loading context: FormKitExamples at /var/www/webware/Webware/FormKit/Examples Listening on ('127.0.0.1', 80086) Creating 10 threads.......... Ready 1 2002-06-30 14:02:30 /cgi-bin/louis.cgi/shipit/LeadList awake called in DatabasePage awake called in DatabasePage SQL> SELECT contact_first_name, to_addr1, contact_addr2, contact_addr1, to_addr2, modified_datetime, to_first_name, from_addr1, created_datetime, contact_last_name, storage, phone_work, moving_date, to_city, source, from_addr2, from_city, email, status, fax, contact_state, to_zip, num_rooms, to_last_name, from_zip, packing, phone_home, total_weight, lead_id, from_state, to_state, contact_city, notes, contact_zip, from_first_name, raw_lead, phone_cell, db_user, time_to_call, from_last_name, cubic_feet, app_user, source_ref FROM leads ./AppServer: line 3: 21840 Aborted /usr/bin/env python2 Launch.py ThreadedAppServer $* |
From: Karl P. <ka...@pu...> - 2002-06-30 20:29:50
|
Hello All, Using Webware 0.7 w/ PostgreSQL 7.2.1 and a hacked PyDO. RH7.2, Apache, WebKit.cgi Development was moving right along untill... We inserted 838 rows for testing. When we select small subset of the records, everything seems to work. But, If we select the entire set of records, and try to display them the AppServer pukes without meaningful error. I've included the console output from one of our developers. I've checked the error messages, the apache logs and the webware logs. This really hurts our efforts. If anyone has ideas, suggestions, solutions, PLEASE help. If there needs to be more debugging, please let me know where to turn it on. Are there OS limits that would affect webware? -- Karl Putland Director of Technical Operations ShipEze Inc [lvanhelden@mercury webware]$ ./AppServer WebKit AppServer 0.7 part of Webware for Python Copyright 1999-2001 by Chuck Esterbrook. All Rights Reserved. WebKit and Webware are open source. Please visit: http://webware.sourceforge.net Process id is 21840 Date/time is Sun Jun 30 14:01:43 2002 CheckInterval = 100 Host = 127.0.0.1 MaxServerThreads = 20 MinServerThreads = 5 PlugInDirs = ['/var/www/webware/Webware'] PlugIns = [] Port = 80086 PrintConfigAtStartUp = 1 StartServerThreads = 10 Verbose = 1 ActivityLogColumns = ['request.remoteAddress', 'request.method', 'request.uri', 'response.size', 'servlet.name', 'request.timeStamp', 'transaction.duration', 'transaction.errorOccurred'] ActivityLogFilename = /home/lvanhelden/projects/shipeze/shipit/webware/Logs/Activity.csv AdminPassword = admin CacheServletClasses = 1 CacheServletInstances = 1 ClearPSPCacheOnStart = 1 Contexts = {'default': 'MyContext', 'Testing': '/var/www/webware/Webware/WebKit/Testing', 'Examples': '/var/www/webware/Webware/WebKit/Examples', 'Admin': '/var/www/webware/Webware/WebKit/Admin', 'Docs': '/var/www/webware/Webware/WebKit/Docs', 'shipit': 'Contexts/shipit', 'MyContext': 'MyContext'} Debug = {'Sessions': 0} DirectoryFile = ['index', 'Index', 'main', 'Main'] DynamicSessionTimeout = 15 EmailErrorReportAsAttachment = 0 EmailErrors = 0 ErrorEmailHeaders = {'To': ['-@-.com'], 'Reply-to': '-@-.com', 'From': '-@-.com', 'Content-type': 'text/html', 'Subject': '[WebKit Error]'} ErrorEmailServer = mail.-.com ErrorLogFilename = /home/lvanhelden/projects/shipeze/shipit/webware/Logs/Errors.csv ErrorMessagesDir = /home/lvanhelden/projects/shipeze/shipit/webware/ErrorMsgs ExtensionCascadeOrder = ['.py', '.psp', '.html'] ExtensionsToIgnore = ['.pyc', '.pyo', '.py~', '.psp~', '.html~', '.bak'] ExtensionsToServe = [] ExtraPathInfo = 0 FancyTracebackContext = 5 FilesToHide = ['.*', '*~', '*.bak', '*.tmpl', '*.config', '__init__.*', '*.pyc', '*.pyo'] FilesToServe = [] IgnoreInvalidSession = 1 IncludeFancyTraceback = 0 LogActivity = 0 MaxDynamicMemorySessions = 10000 PrintConfigAtStartUp = 1 RPCExceptionReturn = traceback SaveErrorMessages = 1 SessionPrefix = None SessionStore = Dynamic SessionTimeout = 60 ShowDebugInfoOnErrors = 1 UnknownFileTypes = {'CheckDate': 1, 'Technique': 'serveContent', 'CacheContent': 1, 'ReuseServlets': 1} UseAutomaticPathSessions = 0 UseCascadingExtensions = 1 UserErrorMessage = The site is having technical difficulties with this page. An error has been logged, and the problem will be fixed as soon as possible. Sorry! Loading context: Testing at /var/www/webware/Webware/WebKit/Testing Loading context: Examples at /var/www/webware/Webware/WebKit/Examples Loading context: Admin at /var/www/webware/Webware/WebKit/Admin Loading context: Docs at /var/www/webware/Webware/WebKit/Docs Loading context: shipit at /home/lvanhelden/projects/shipeze/shipit/webware/Contexts/shipit Loading context: MyContext at /home/lvanhelden/projects/shipeze/shipit/webware/MyContext Current directory: /home/lvanhelden/projects/shipeze/shipit/webware Session Sweeper started Plug-ins list: /var/www/webware/Webware/COMKit, /var/www/webware/Webware/MiddleKit, /var/www/webware/Webware/MiscUtils, /var/www/webware/Webware/PSP, /var/www/webware/Webware/TaskKit, /var/www/webware/Webware/UserKit, /var/www/webware/Webware/WebUtils, /var/www/webware/Webware/FormKit Loading plug-in: COMKit at /var/www/webware/Webware/COMKit Plug-in /var/www/webware/Webware/COMKit cannot be loaded because: Required op sys is ['nt'], but actual op sys is posix. Loading plug-in: MiddleKit at /var/www/webware/Webware/MiddleKit Loading context: MKBrowser at /var/www/webware/Webware/MiddleKit/WebBrowser Loading plug-in: MiscUtils at /var/www/webware/Webware/MiscUtils Loading plug-in: PSP at /var/www/webware/Webware/PSP Loading context: PSPExamples at /var/www/webware/Webware/PSP/Examples Loading plug-in: TaskKit at /var/www/webware/Webware/TaskKit Loading plug-in: UserKit at /var/www/webware/Webware/UserKit Loading plug-in: WebUtils at /var/www/webware/Webware/WebUtils Loading plug-in: FormKit at /var/www/webware/Webware/FormKit Loading context: FormKitExamples at /var/www/webware/Webware/FormKit/Examples Listening on ('127.0.0.1', 80086) Creating 10 threads.......... Ready 1 2002-06-30 14:02:30 /cgi-bin/louis.cgi/shipit/LeadList awake called in DatabasePage awake called in DatabasePage SQL> SELECT contact_first_name, to_addr1, contact_addr2, contact_addr1, to_addr2, modified_datetime, to_first_name, from_addr1, created_datetime, contact_last_name, storage, phone_work, moving_date, to_city, source, from_addr2, from_city, email, status, fax, contact_state, to_zip, num_rooms, to_last_name, from_zip, packing, phone_home, total_weight, lead_id, from_state, to_state, contact_city, notes, contact_zip, from_first_name, raw_lead, phone_cell, db_user, time_to_call, from_last_name, cubic_feet, app_user, source_ref FROM leads ./AppServer: line 3: 21840 Aborted /usr/bin/env python2 Launch.py ThreadedAppServer $* |
From: Aaron H. <aa...@me...> - 2002-07-01 02:30:14
|
I would check PyDO, maybe you are creating too many objects for it handle. I wrote a system that mapped rows to objects, and it worked great for subsets, but when I tried to pull 5000 records it got very slow. I traced my problem to the way I was storing the recordset in the session, but webware never crashed. I've pulled 20k records from Postgres with PyPGSQL without any crashing problems. If all of the code is in a module/class: can you pull up the same dataset from an interactive python session? The only webware related OS limit that I have seen is in the python VM. There is a global lock that prevents load balancing across cpu's in an SMP server. -Aaron ----- Original Message ----- From: "Karl Putland" <ka...@pu...> To: <web...@li...> Sent: Sunday, June 30, 2002 4:29 PM Subject: [Webware-discuss] Webware aborting. (oops forgot to change the subject.) > Hello All, > > Using Webware 0.7 w/ PostgreSQL 7.2.1 and a hacked PyDO. > RH7.2, Apache, WebKit.cgi > > Development was moving right along untill... We inserted 838 rows for > testing. When we select small subset of the records, everything seems > to work. But, If we select the entire set of records, and try to display > them the AppServer pukes without meaningful error. > > I've included the console output from one of our developers. I've > checked the error messages, the apache logs and the webware logs. This > really hurts our efforts. If anyone has ideas, suggestions, solutions, > PLEASE help. If there needs to be more debugging, please let me know > where to turn it on. > > Are there OS limits that would affect webware? > > -- > Karl Putland > Director of Technical Operations > ShipEze Inc > > > > > [lvanhelden@mercury webware]$ ./AppServer > WebKit AppServer 0.7 > part of Webware for Python > Copyright 1999-2001 by Chuck Esterbrook. All Rights Reserved. > WebKit and Webware are open source. > Please visit: http://webware.sourceforge.net > > Process id is 21840 > Date/time is Sun Jun 30 14:01:43 2002 > > CheckInterval = 100 > Host = 127.0.0.1 > MaxServerThreads = 20 > MinServerThreads = 5 > PlugInDirs = ['/var/www/webware/Webware'] > PlugIns = [] > Port = 80086 > PrintConfigAtStartUp = 1 > StartServerThreads = 10 > Verbose = 1 > > ActivityLogColumns = ['request.remoteAddress', > 'request.method', 'request.uri', 'response.size', 'servlet.name', > 'request.timeStamp', 'transaction.duration', > 'transaction.errorOccurred'] > ActivityLogFilename = > /home/lvanhelden/projects/shipeze/shipit/webware/Logs/Activity.csv > AdminPassword = admin > CacheServletClasses = 1 > CacheServletInstances = 1 > ClearPSPCacheOnStart = 1 > Contexts = {'default': 'MyContext', 'Testing': > '/var/www/webware/Webware/WebKit/Testing', 'Examples': > '/var/www/webware/Webware/WebKit/Examples', 'Admin': > '/var/www/webware/Webware/WebKit/Admin', 'Docs': > '/var/www/webware/Webware/WebKit/Docs', 'shipit': 'Contexts/shipit', > 'MyContext': 'MyContext'} > Debug = {'Sessions': 0} > DirectoryFile = ['index', 'Index', 'main', 'Main'] > DynamicSessionTimeout = 15 > EmailErrorReportAsAttachment = 0 > EmailErrors = 0 > ErrorEmailHeaders = {'To': ['-@-.com'], 'Reply-to': > '-@-.com', 'From': '-@-.com', 'Content-type': 'text/html', 'Subject': > '[WebKit Error]'} > ErrorEmailServer = mail.-.com > ErrorLogFilename = > /home/lvanhelden/projects/shipeze/shipit/webware/Logs/Errors.csv > ErrorMessagesDir = > /home/lvanhelden/projects/shipeze/shipit/webware/ErrorMsgs > ExtensionCascadeOrder = ['.py', '.psp', '.html'] > ExtensionsToIgnore = ['.pyc', '.pyo', '.py~', '.psp~', > '.html~', '.bak'] > ExtensionsToServe = [] > ExtraPathInfo = 0 > FancyTracebackContext = 5 > FilesToHide = ['.*', '*~', '*.bak', '*.tmpl', > '*.config', '__init__.*', '*.pyc', '*.pyo'] > FilesToServe = [] > IgnoreInvalidSession = 1 > IncludeFancyTraceback = 0 > LogActivity = 0 > MaxDynamicMemorySessions = 10000 > PrintConfigAtStartUp = 1 > RPCExceptionReturn = traceback > SaveErrorMessages = 1 > SessionPrefix = None > SessionStore = Dynamic > SessionTimeout = 60 > ShowDebugInfoOnErrors = 1 > UnknownFileTypes = {'CheckDate': 1, 'Technique': > 'serveContent', 'CacheContent': 1, 'ReuseServlets': 1} > UseAutomaticPathSessions = 0 > UseCascadingExtensions = 1 > UserErrorMessage = The site is having technical difficulties > with this page. An error has been logged, and the problem will be fixed > as soon as possible. Sorry! > > Loading context: Testing at /var/www/webware/Webware/WebKit/Testing > Loading context: Examples at /var/www/webware/Webware/WebKit/Examples > Loading context: Admin at /var/www/webware/Webware/WebKit/Admin > Loading context: Docs at /var/www/webware/Webware/WebKit/Docs > Loading context: shipit at > /home/lvanhelden/projects/shipeze/shipit/webware/Contexts/shipit > Loading context: MyContext at > /home/lvanhelden/projects/shipeze/shipit/webware/MyContext > > Current directory: /home/lvanhelden/projects/shipeze/shipit/webware > Session Sweeper started > > Plug-ins list: /var/www/webware/Webware/COMKit, > /var/www/webware/Webware/MiddleKit, /var/www/webware/Webware/MiscUtils, > /var/www/webware/Webware/PSP, /var/www/webware/Webware/TaskKit, > /var/www/webware/Webware/UserKit, /var/www/webware/Webware/WebUtils, > /var/www/webware/Webware/FormKit > Loading plug-in: COMKit at /var/www/webware/Webware/COMKit > Plug-in /var/www/webware/Webware/COMKit cannot be loaded because: > Required op sys is ['nt'], but actual op sys is posix. > Loading plug-in: MiddleKit at /var/www/webware/Webware/MiddleKit > Loading context: MKBrowser at > /var/www/webware/Webware/MiddleKit/WebBrowser > Loading plug-in: MiscUtils at /var/www/webware/Webware/MiscUtils > Loading plug-in: PSP at /var/www/webware/Webware/PSP > Loading context: PSPExamples at /var/www/webware/Webware/PSP/Examples > Loading plug-in: TaskKit at /var/www/webware/Webware/TaskKit > Loading plug-in: UserKit at /var/www/webware/Webware/UserKit > Loading plug-in: WebUtils at /var/www/webware/Webware/WebUtils > Loading plug-in: FormKit at /var/www/webware/Webware/FormKit > Loading context: FormKitExamples at > /var/www/webware/Webware/FormKit/Examples > > Listening on ('127.0.0.1', 80086) > Creating 10 threads.......... > Ready > > 1 2002-06-30 14:02:30 /cgi-bin/louis.cgi/shipit/LeadList > awake called in DatabasePage > awake called in DatabasePage > SQL> SELECT contact_first_name, to_addr1, contact_addr2, contact_addr1, > to_addr2, modified_datetime, to_first_name, from_addr1, > created_datetime, contact_last_name, storage, phone_work, moving_date, > to_city, source, from_addr2, from_city, email, status, fax, > contact_state, to_zip, num_rooms, to_last_name, from_zip, packing, > phone_home, total_weight, lead_id, from_state, to_state, contact_city, > notes, contact_zip, from_first_name, raw_lead, phone_cell, db_user, > time_to_call, from_last_name, cubic_feet, app_user, source_ref FROM > leads > ./AppServer: line 3: 21840 Aborted /usr/bin/env python2 > Launch.py ThreadedAppServer $* > > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Webware-discuss mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/webware-discuss > |
From: Karl P. <ka...@pu...> - 2002-07-01 03:33:44
|
On Sun, 2002-06-30 at 20:30, Aaron Held wrote: > I would check PyDO, maybe you are creating too many objects for it handle. I wrote a > system that mapped rows to objects, and it worked great for subsets, but when I tried to > pull 5000 records it got very slow. I traced my problem to the way I was storing the > recordset in the session, but webware never crashed. I've pulled 20k records from > Postgres with PyPGSQL without any crashing problems. > I am using psycopg, but it doesn't appear to be related to the db module. A plethora of print statements show that the select completes, the loop finishes, the page finishes, then the AppServer pukes > If all of the code is in a module/class: > can you pull up the same dataset from an interactive python session? > > The only webware related OS limit that I have seen is in the python VM. There is a global > lock that prevents load balancing across cpu's in an SMP server. > I understand about the global interpreter lock. -- Karl Putland Director of Technical Operations ShipEze Inc |
From: Aaron H. <aa...@me...> - 2002-06-28 03:04:20
|
PyPGSQL uses the same parameter quoting as MySQLdb, and you can also import a PGQuote function that works. -Aaron ----- Original Message ----- From: "Mike Orr" <ir...@se...> To: <web...@li...> Sent: Thursday, June 27, 2002 3:49 PM Subject: Re: [Webware-discuss] htmlEncode good for SQL? > On Thu, Jun 27, 2002 at 11:54:18AM -0700, Steve Freitas wrote: > > The htmlEncode() method, as I recently discovered thanks to Ian, is good to > > use to prevent malicious inputs from being undesirably reproduced in web > > pages. Storing inputs in a SQL database presents the same kind of challenge, > > especially because SQL injection attacks are such nasty things. > > > > Do y'all feel that using htmlEncode() on incoming data to be included in a > > SQL query is an effective solution to that problem? > > For MySQL: > s = MySQLdb.encode(s) # String. > or easier: > sql = "SELECT a, b FROM c WHERE d = %(d_value)s AND e = %(e_value)s" > dic = {'d_value': ..., 'e_value': ...} > c.execute(sql, dic) # Cursor object. > > I haven't used pgdb (Postgres) much, but it seems to do the second thing > too. You may have to do a bit more quoting (e.g., around the > placeholders in the query string). > > -- > -Mike (Iron) Orr, ir...@ms... (if mail problems: ms...@oz...) > http://iron.cx/ English * Esperanto * Russkiy * Deutsch * Espan~ol > > > ------------------------------------------------------- > Sponsored by: > ThinkGeek at http://www.ThinkGeek.com/ > _______________________________________________ > Webware-discuss mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/webware-discuss > |