classification
Title: sqlite documentation bug
Type: behavior Stage: resolved
Components: Documentation Versions: Python 3.6, Python 3.5, Python 2.7
process
Status: closed Resolution: rejected
Dependencies: Superseder:
Assigned To: docs@python Nosy List: Eyal Mor, berker.peksag, docs@python, r.david.murray
Priority: normal Keywords: patch

Created on 2016-08-09 12:29 by Eyal Mor, last changed 2018-07-27 07:53 by berker.peksag. This issue is now closed.

Files
File name Uploaded Description Edit
Screen Shot 2016-08-09 at 3.28.05 PM.png Eyal Mor, 2016-08-09 12:29 Image of code section
issue27717.diff berker.peksag, 2016-08-24 22:07 review
Messages (4)
msg272238 - (view) Author: Eyal Mor (Eyal Mor) Date: 2016-08-09 12:29
In the SQlite module documentation there a code section showing how to securely use the sqlite.execute method.
The problem with this code section is that just from a glance, without reading the paragraph before, or the comments in the section, users could use the insecure version.
It would be better if only a secure example would be in the code section.

https://docs.python.org/2/library/sqlite3.html

Section:
# Never do this -- insecure!
symbol = 'RHAT'
c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)

# Do this instead
t = ('RHAT',)
c.execute('SELECT * FROM stocks WHERE symbol=?', t)
print c.fetchone()

# Larger example that inserts many records at a time
purchases = [('2006-03-28', 'BUY', 'IBM', 1000, 45.00),
             ('2006-04-05', 'BUY', 'MSFT', 1000, 72.00),
             ('2006-04-06', 'SELL', 'IBM', 500, 53.00),
            ]
c.executemany('INSERT INTO stocks VALUES (?,?,?,?,?)', purchases)
msg272247 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2016-08-09 13:39
I think it is pretty hard to miss "Never do this" when reading the code section.  That said, I don't have a strong objection to changing it.

I've reduced the versions field to those branches this might get changed in, as is our standard practice with the versions field.  Nor is this a security issue in our usage of that type, so I've changed the type to behavior.
msg273602 - (view) Author: Berker Peksag (berker.peksag) * (Python committer) Date: 2016-08-24 22:07
> I think it is pretty hard to miss "Never do this" when reading the code section.

I agree with David. However, I may be biased since I spend a lot of time reading docs.python.org :) Here is a patch that moves the insecure example to a separate code block.
msg322470 - (view) Author: Berker Peksag (berker.peksag) * (Python committer) Date: 2018-07-27 07:53
Looking at this again, I think the current version of the documentation should stay as-is. Perhaps my patch can make the insecure example separated from the secure one, but I don't think it's worth to apply it.
History
Date User Action Args
2018-07-27 07:53:00berker.peksagsetstatus: open -> closed
resolution: rejected
messages: + msg322470

stage: patch review -> resolved
2016-08-24 22:07:15berker.peksagsetfiles: + issue27717.diff

nosy: + berker.peksag
messages: + msg273602

keywords: + patch
stage: patch review
2016-08-09 13:39:59r.david.murraysetversions: - Python 3.2, Python 3.3, Python 3.4
nosy: + r.david.murray

messages: + msg272247

type: security -> behavior
2016-08-09 12:29:35Eyal Morcreate