On Wed, 02 May 2007 13:05:08 -0700, Tobiah <[EMAIL PROTECTED]> wrote:
>
>> In addition to the above good advice, in case you are submitting a query
>> to a DB-API compliant SQL database, you should use query parameters
>> instead of building the query with string substitution.
>
>I tried that a long time ago, but I guess I found it to be
>more awkward. I imagine that it is quite a bit faster that way?
>I'm using MySQLdb.
>
Given
name = raw_input("What is your name?")
cursor.execute("INSERT INTO users (name) VALUES ('%s')" % (name,))
if I enter my name to be "'; DELETE FROM users;", then you are
probably going to be slightly unhappy. However, if you insert
rows into your database like this:
cursor.execute("INSERT INTO users (name) VALUES (%s)", (name,))
then I will simply end up with a funny name in your database, instead
of being able to delete all of your data.
Jean-Paul
--
http://mail.python.org/mailman/listinfo/python-list
