U
U
unt1tledddd2022-02-05 16:19:44
Python
unt1tledddd, 2022-02-05 16:19:44

How to teach a chat bot in telegram to perceive letters?



The bot in the cart when issuing details inside the bot can only accept numbers, that is, an error
pops up for any letter, please help fix it ) ') q = connection.cursor() try: q.execute("update config set bitcoin = " + str( new_bitcoin ) + " where id = 1") connection.commit() q.close() connection.close() bot.send_message(message.chat.id, 'Success!', reply_markup=keyboards.admin) except: bot.send_message(admin, 'Error', reply_markup=keyboards.admin)

Answer the question

In order to leave comments, you need to log in

2 answer(s)
S
shurshur, 2022-02-05
@shurshur

I will send you
'';drop table config;select bitcoin from config
And the config table will be deleted. This is called SQL injection .
You do not wrap the string in quotes, of course, nothing good will come of it. In the case of numbers, of course, the query without quotes succeeds. But in general, this is the wrong way to use SQL, since any quote will break it, and carefully prepared text (I gave an example) will generally cause the wrong query that was planned.
Correct use of placeholders:

q.execute("UPDATE config SET bitcoin=? WHERE id=?", (new_bitcoin, user_id))

In this case, the database itself will correctly substitute and execute everything.

V
Vindicar, 2022-02-05
@Vindicar

q.execute("update config set bitcoin = " + str( new_bitcoin ) + " where id = 1")

For this you have to beat on the hands. Iron line. Let me explain why:
if new_bitcoin is assigned the number 1234 or the string "1234", then we get the query
update config set bitcoin = 1234 where id = 1
This query is syntactically correct from the point of view of the SQL language.
But if new_bitcoin is assigned the string "foobar", we get a query.
update config set bitcoin = foobar where id = 1
From the SQL point of view, this is a call to the foobar column. Which, of course, is not.
And now, attention, the question is: why the hell did you not get acquainted with the basics of using a DBMS, namely with the value substitution syntax?
Read here , starting with "Instead, use the DB-API's parameter substitution". Know it and don't do it again.
Well, to the heap: what will happen if there is a line like "0; --" in bitcoin?
update config set bitcoin = 0; -- where id = 1
Anything after "--" is a comment and will be ignored. Those. the query will overwrite the entire bitcoin column with zeros.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question