On Wed, 02 May 2007 13:05:08 -0700, Tobiah <[EMAIL PROTECTED]> wrote: > >> In addition to the above good advice, in case you are submitting a query >> to a DB-API compliant SQL database, you should use query parameters >> instead of building the query with string substitution. > >I tried that a long time ago, but I guess I found it to be >more awkward. I imagine that it is quite a bit faster that way? >I'm using MySQLdb. >
Given name = raw_input("What is your name?") cursor.execute("INSERT INTO users (name) VALUES ('%s')" % (name,)) if I enter my name to be "'; DELETE FROM users;", then you are probably going to be slightly unhappy. However, if you insert rows into your database like this: cursor.execute("INSERT INTO users (name) VALUES (%s)", (name,)) then I will simply end up with a funny name in your database, instead of being able to delete all of your data. Jean-Paul -- http://mail.python.org/mailman/listinfo/python-list