8000 sqlite documentation bug · Issue #71904 · python/cpython · GitHub
[go: up one dir, main page]

Skip to content

sqlite documentation bug #71904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
EyalMor mannequin opened this issue Aug 9, 2016 · 4 comments
Closed

sqlite documentation bug #71904

EyalMor mannequin opened this issue Aug 9, 2016 · 4 comments
Labels
docs Documentation in the Doc dir type-bug An unexpected behavior, bug, or error

Comments

@EyalMor
Copy link
Mannequin
EyalMor mannequin commented Aug 9, 2016
BPO 27717
Nosy @bitdancer, @berkerpeksag
Files
  • Screen Shot 2016-08-09 at 3.28.05 PM.png: Image of code section
  • issue27717.diff
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
    closed_at = <Date 2018-07-27.07:53:00.430>
    created_at = <Date 2016-08-09.12:29:34.991>
    labels = ['type-bug', 'docs']
    title = 'sqlite documentation bug'
    updated_at = <Date 2018-07-27.07:53:00.429>
    user = 'https://bugs.python.org/EyalMor'

    bugs.python.org fields:

    activity = <Date 2018-07-27.07:53:00.429>
    actor = 'berker.peksag'
    assignee = 'docs@python'
    closed = True
    closed_date = <Date 2018-07-27.07:53:00.430>
    closer = 'berker.peksag'
    components = ['Documentation']
    creation = <Date 2016-08-09.12:29:34.991>
    creator = 'Eyal Mor'
    dependencies = []
    files = ['44056', '44214']
    hgrepos = []
    issue_num = 27717
    keywords = ['patch']
    message_count = 4.0
    messages = ['272238', '272247', '273602', '322470']
    nosy_count = 4.0
    nosy_names = ['r.david.murray', 'docs@python', 'berker.peksag', 'Eyal Mor']
    pr_nums = []
    priority = 'normal'
    resolution = 'rejected'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'behavior'
    url = 'https://bugs.python.org/issue27717'
    versions = ['Python 2.7', 'Python 3.5', 'Python 3.6']

    @EyalMor
    Copy link
    Mannequin Author
    EyalMor mannequin commented Aug 9, 2016

    In the SQlite module documentation there a code section showing how to securely use the sqlite.execute method.
    The problem with this code section is that just from a glance, without reading the paragraph before, or the comments in the section, users could use the insecure version.
    It would be better if only a secure example would be in the code section.

    https://docs.python.org/2/library/sqlite3.html

    Section:
    # Never do this -- insecure!
    symbol = 'RHAT'
    c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)

    # Do this instead
    t = ('RHAT',)
    c.execute('SELECT * FROM stocks WHERE symbol=?', t)
    print c.fetchone()
    
    # Larger example that inserts many records at a time
    purchases = [('2006-03-28', 'BUY', 'IBM', 1000, 45.00),
                 ('2006-04-05', 'BUY', 'MSFT', 1000, 72.00),
                 ('2006-04-06', 'SELL', 'IBM', 500, 53.00),
                ]
    c.executemany('INSERT INTO stocks VALUES (?,?,?,?,?)', purchases)

    @EyalMor EyalMor mannequin added the type-security A security issue label Aug 9, 2016
    @EyalMor EyalMor mannequin assigned docspython Aug 9, 2016
    @EyalMor EyalMor mannequin added the docs Documentation in the Doc dir label Aug 9, 2016
    @bitdancer
    Copy link
    Member

    I think it is pretty hard to miss "Never do this" when reading the code section. That said, I don't have a strong objection to changing it.

    I've reduced the versions field to those branches this might get changed in, as is our standard practice with the versions field. Nor is this a security issue in our usage of that type, so I've changed the type to behavior.

    @bitdancer bitdancer added type-bug An unexpected behavior, bug, or error and removed type-security A security issue labels Aug 9, 2016
    @berkerpeksag
    Copy link
    Member

    I think it is pretty hard to miss "Never do this" when reading the code section.

    I agree with David. However, I may be biased since I spend a lot of time reading docs.python.org :) Here is a patch that moves the insecure example to a separate code block.

    @berkerpeksag
    Copy link
    Member

    Looking at this again, I think the current version of the documentation should stay as-is. Perhaps my patch can make the insecure example separated from the secure one, but I don't think it's worth to apply it.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    docs Documentation in the Doc dir type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Development

    No branches or pull requests

    2 participants
    0