sqlite documentation bug #71904

EyalMor · 2016-08-09T12:29:35Z

BPO	27717
Nosy	@bitdancer, @berkerpeksag
Files	Screen Shot 2016-08-09 at 3.28.05 PM.png: Image of code section issue27717.diff

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2018-07-27.07:53:00.430>
created_at = <Date 2016-08-09.12:29:34.991>
labels = ['type-bug', 'docs']
title = 'sqlite documentation bug'
updated_at = <Date 2018-07-27.07:53:00.429>
user = 'https://bugs.python.org/EyalMor'

bugs.python.org fields:

activity = <Date 2018-07-27.07:53:00.429>
actor = 'berker.peksag'
assignee = 'docs@python'
closed = True
closed_date = <Date 2018-07-27.07:53:00.430>
closer = 'berker.peksag'
components = ['Documentation']
creation = <Date 2016-08-09.12:29:34.991>
creator = 'Eyal Mor'
dependencies = []
files = ['44056', '44214']
hgrepos = []
issue_num = 27717
keywords = ['patch']
message_count = 4.0
messages = ['272238', '272247', '273602', '322470']
nosy_count = 4.0
nosy_names = ['r.david.murray', 'docs@python', 'berker.peksag', 'Eyal Mor']
pr_nums = []
priority = 'normal'
resolution = 'rejected'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue27717'
versions = ['Python 2.7', 'Python 3.5', 'Python 3.6']

EyalMor · 2016-08-09T12:29:34Z

In the SQlite module documentation there a code section showing how to securely use the sqlite.execute method.
The problem with this code section is that just from a glance, without reading the paragraph before, or the comments in the section, users could use the insecure version.
It would be better if only a secure example would be in the code section.

https://docs.python.org/2/library/sqlite3.html

Section:
# Never do this -- insecure!
symbol = 'RHAT'
c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)

# Do this instead
t = ('RHAT',)
c.execute('SELECT * FROM stocks WHERE symbol=?', t)
print c.fetchone()

# Larger example that inserts many records at a time
purchases = [('2006-03-28', 'BUY', 'IBM', 1000, 45.00),
             ('2006-04-05', 'BUY', 'MSFT', 1000, 72.00),
             ('2006-04-06', 'SELL', 'IBM', 500, 53.00),
            ]
c.executemany('INSERT INTO stocks VALUES (?,?,?,?,?)', purchases)

bitdancer · 2016-08-09T13:40:00Z

I think it is pretty hard to miss "Never do this" when reading the code section. That said, I don't have a strong objection to changing it.

I've reduced the versions field to those branches this might get changed in, as is our standard practice with the versions field. Nor is this a security issue in our usage of that type, so I've changed the type to behavior.

berkerpeksag · 2016-08-24T22:07:15Z

I think it is pretty hard to miss "Never do this" when reading the code section.

I agree with David. However, I may be biased since I spend a lot of time reading docs.python.org :) Here is a patch that moves the insecure example to a separate code block.

berkerpeksag · 2018-07-27T07:53:00Z

Looking at this again, I think the current version of the documentation should stay as-is. Perhaps my patch can make the insecure example separated from the secure one, but I don't think it's worth to apply it.

EyalMor mannequin added the type-security A security issue label Aug 9, 2016

EyalMor mannequin assigned docspython Aug 9, 2016

EyalMor mannequin added the docs Documentation in the Doc dir label Aug 9, 2016

bitdancer added type-bug An unexpected behavior, bug, or error and removed type-security A security issue labels Aug 9, 2016

ezio-melotti transferred this issue from another repository Apr 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

sqlite documentation bug #71904

sqlite documentation bug #71904

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sqlite documentation bug #71904

sqlite documentation bug #71904

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!