On Wed, Dec 12, 2007 at 09:08:44AM -0500, Calvin Spealman wrote regarding Re: psycopg: > > Don't do that, for a number of reasons. String concatenation is really > never a good idea and formatting your own query strings is exactly what > leads to things like sql injection. Let the db library handle it for > you: >
If you don't know what a SQL injection is, and you don't feel like googling for it, this should give you a good idea of why this matters: http://xkcd.com/327/ > cur.execute('insert into seq(id,sequence) values(3, %s)', (content,)) > > Notice that, although we're using the %s placeholder, we are _not_ > using the % operator to format the string. This is because the db > module will do any proper preparation of the value for you before > inserting into the string. > > On Dec 12, 2007, at 8:31 AM, sujitha mary wrote: > > hi all, > while executing this cur.execute('insert into seq(id,sequence) > values(3,'+content+')') > i'm getting an error psycopg2.ProgrammingError : syntax error at or > near "prophage" > LINE 1: insert into seq(id,sequence) values(3,Tum2 prophage > complete... > > -- > > [1]http://mail.python.org/mailman/listinfo/python-list > > References > > 1. http://mail.python.org/mailman/listinfo/python-list > -- > http://mail.python.org/mailman/listinfo/python-list -- http://mail.python.org/mailman/listinfo/python-list