Command in Python

Question

I write script in Python and I have some problems, I need to run a command with a parameter that I get from the database, I did so (addition mysql.connector installed):

import mysql.connector
import os
 
mydb = mysql.connector.connect(
  host="localhost",
  user="name",
  password="pass",
  database="base"
)
 
mycursor = mydb.cursor()
 
mycursor.execute("SELECT * FROM `employee` LIMIT 2")
 
myresult = mycursor.fetchall()
 
for row in myresult:
    os.system('command ' + row[1])

I have 3 questions:

is it correct that I use os and not subprocess?
I get an answer in json format when I run this command, how do I get the value from there? Do I need to include "import json"?

import json
 
# some JSON:
x = '{ "name":"John", "age":30, "city":"New York"}'
 
# parse x:
y = json.loads(x)
 
# the result is a Python dictionary:
print(y["age"])

What are you actually trying to accomplish here? `command` prevents function and alias lookup, but a noninteractive shell won't have any functions or aliases defined in the first place. If it's a standin for some _other_ command, and you want to be safe against command injections, it very much won't help. — Charles Duffy, Apr 02 '22 at 17:50
Consider the case where your database contains `$(rm -rf ~)` -- `yourcommand $(rm -rf ~)` is going to delete everything in your home directory before `yourcommand` ever gets started. — Charles Duffy, Apr 02 '22 at 17:53
Also, note that each Stack Overflow question should be about _only one_ underlying question. @FLAK-ZOSO is slightly going against the rules to help you by answering a multi-question "question" (see [How to Answer](https://stackoverflow.com/help/how-to-answer), particularly the section _Answer Well-Asked Questions_, and the bullet point therein regarding questions that "require too much guidance for you to answer in full, **or request answers to multiple questions**"). — Charles Duffy, Apr 02 '22 at 17:56
...following that rule helps us provide the best possible answer for each subquestion (often, the best way to do that is to redirect via the close-as-duplicate mechanism to a preexisting, already-answered instance of a question that the community has put a lot of time and effort into answering comprehensively). — Charles Duffy, Apr 02 '22 at 17:59

FLAK-ZOSO · Answer 1 · 2022-04-02T17:54:26.480

0

is it correct that I use os and not subprocess?

You really should use subprocess, if you are asking why you should read this.

Do I need to include "import json"?

In Python import <module> has a very similar usage to C/C++ #include <module> preprocessor directive, even if it has some differences. So you don't include import json, but you import json.

Anyway json is a Python built-in module which parses, encodes, indents and writes to .json files, and if you get a JSON format response you really should consider it to decode this object to a Python dict.

edited Apr 02 '22 at 17:54

answered Apr 02 '22 at 17:42

FLAK-ZOSO

3,873
4
8
28

I _wholeheartedly_ disagree with this advice. There is **never** a reason to use `os.system()` instead of `subprocess`, and a great many good reasons to avoid it. `os.system()` is incapable of running without an implied `/bin/sh -c`; it doesn't provide the ability to override the PATH or other environment variables; it doesn't provide the ability to choose the shell code will be run with; it doesn't provide the ability to directly control the argv -- why would you start with something that's antiquated? – Charles Duffy Apr 02 '22 at 17:48
You are for sure right, I've read a lot of Q&A about os/subprocess, but the OP seems to don't know the difference between "include import json" and "import json", so I don't think it's very important for them. – FLAK-ZOSO Apr 02 '22 at 17:49
Ok @CharlesDuffy, I'm editing my answer since "why would you start with something that's antiquated?" convinced me, thank you. – FLAK-ZOSO Apr 02 '22 at 17:53
Unfortunately, I think a _really good_ answer would require a clarification from the OP before it can be written. I don't know if they mean `command` to refer to the shell builtin named `command` or some arbitrary command of their own; and also don't know how many arguments they expect the database content to expand to -- but something like `subprocess.call(['theircommand', row[1]])` is generally going to have considerably fewer security faults; or `subprocess.call(['theircommand'] + shlex.split(row[1]))` if they expect a string from which multiple arguments can be extracted. – Charles Duffy Apr 02 '22 at 17:55
I checked version python, subprocess for version over 3.5, right? – Alex Apr 02 '22 at 20:15
Yes, are you using an older version? You shouldn't, versions over 3.5 have some useful features, in particular I remember that a lot of changes were introduced with 3.6 and 3.9 (and now with 3.10, which is probably the minor release with the major amount of new features). – FLAK-ZOSO Apr 02 '22 at 20:21

Command in Python

1 Answers1