이 Python 파일 python pid_info.py 12345를 실행해 보면 다음과 같습니다.
#!/usr/bin/env python
import subprocess
import sys, getopt
# add if -b or -e then look for username/email like etc...
# figure out how to store the db creds in separate file
class color:
PURPLE = '\033[95m'
CYAN = '\033[96m'
DARKCYAN = '\033[36m'
BLUE = '\033[94m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RED = '\033[91m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
FLASH = '\033[0.5m'
END = '\033[0m'
# DB info:
host =
db=
user=
password=
# take the argument provided by user
UN=str(sys.argv[1])
# SQL query to return user info + role
f_statement1 = """ set nocount on; set ansi_warnings off;
SELECT
pl.placement_id PID, pl.placement_name, p.partner_name Publisher, pc.description Platform_client, pit.description +'/'+ dt.description Integration_Device
FROM placement pl
JOIN partner p ON pl.partner_id = p.partner_id
JOIN platform_client pc ON p.platform_client_id = pc.platform_client_id
JOIN placement_integration_type_assoc pita ON pl.placement_id = pita.placement_id
JOIN placement_integration_type pit ON pita.placement_integration_type_id = pit.placement_integration_type_id
JOIN device_type dt ON pl.device_type_id = dt.device_type_id
WHERE pit.active=1
AND pita.active=1 AND pl.placement_id = """ + str(UN)
f_statement2 = """ set nocount on; set ansi_warnings off;
SELECT
pl.max_ad_duration Seconds, c.abbreviation Country,
CASE WHEN passback_allowed=0 THEN 'GUARANTEED' ELSE 'PASSBACK' END AS Buy_Type,
CASE WHEN pl.skippable=0 THEN 'Non-Skippable' ELSE 'Skippable' END AS Skippable,
CASE WHEN pl.active=1 THEN 'ACTIVE' ELSE 'NOT_ACTIVE' END AS Status
FROM placement pl
JOIN country c ON pl.country_id = c.country_id
WHERE pl.placement_id =""" + str(UN)
f_statement3 = """ set nocount on; set ansi_warnings off;
SELECT url_expression FROM AN_MAIN..placement_domain_whitelist
WHERE active=1 and placement_id =""" + str(UN)
# run the first query
print('\n')
print(color.UNDERLINE + color.BOLD + "Results for PID " + str(UN) + ":" + color.END)
results1=subprocess.call(["sqlcmd", "-S", host, "-U",user, "-P",password, "-d",db, "-Q", f_statement1, "-Y","30", "-s", "|" ])
print('\n')
results1=subprocess.call(["sqlcmd", "-S", host, "-U",user, "-P",password, "-d",db, "-Q", f_statement2, "-Y","30", "-s", "|" ])
print('\n')
print(color.UNDERLINE + color.BOLD + "Whitelist for PID " + str(UN) + ":" + color.END)
print('\n')
results1=subprocess.call(["sqlcmd", "-S", host, "-U",user, "-P",password, "-d",db, "-Q", f_statement3, "-Y","30", "-s", "|" ])
print('\n')
input ()
이렇게 하면 오류가 발생합니다.
Results for PID 12345:
Traceback (most recent call last):
File "pid_info.py", line 57, in <module>
results1=subprocess.call(["sqlcmd", "-S", host, "-U",user, "-P",password, "-d",db, "-Q", f_statement1, "-Y","30", "-s", "|" ])
File "/usr/lib/python2.7/subprocess.py", line 523, in call
return Popen(*popenargs, **kwargs).wait()
File "/usr/lib/python2.7/subprocess.py", line 711, in __init__
errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1343, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory
여기서 어떤 변경을 해야 합니까?
답변1
sqlcmdPython 스크립트는 환경 변수에 나열된 디렉터리에 없는 환경에서 실행됩니다 PATH.
스크립트를 호출하기 전에 있었던 디렉토리를 포함 PATH하거나 전체 경로를 사용하십시오.sqlcmdsqlcmd
외부 바이너리를 사용하지 않고도 Python 코드에서 데이터베이스 연결을 생성할 수 있는 Python용 SQL 라이브러리가 있다고 확신합니다. 또한 이를 통해 SQL 주입 공격에 취약하지 않은 준비된 명령문을 실행할 수 있습니다.
변수를 정리하지 않습니다 UN. 즉, 다음을 사용하여 스크립트를 호출할 수 있습니다."12345; DROP DATABASE 'mydatabase';"