There are several problems with your SQL, but not all of them would be caught by the computer. Your SELECT statement is not parameterized. This is a security problem. *Always* parameterize your variables. Your UPDATE statement has an extraneous comma at the end, and it also has quotes around the "%s"es that you don't need, because you already parameterized that query. Your dbapi interface will provide appropriate quoting for whatever type of data you pass it.
Cheers, Cliff On Fri, 2008-04-18 at 10:13 -0500, Victor Subervi wrote: > Hi; > If I grab an image in the database thus: > > sql = "select pic1 from products where id='" + str(id) + "';" > cursor.execute(sql) > pic1 = cursor.fetchall()[0][0].tostring() > # pic1 = cursor.fetchall()[0][0] // either this or the above > line > > and try and re-insert it thus: > > cursor.execute('update products set pic1="%s" where id="%s", ;', > (pic1, id)) > > it tells me I have an error in my MySQL syntax. What is the error? > TIA, > Victor -- Oook, J. Cliff Dyer Carolina Digital Library and Archives UNC Chapel Hill -- http://mail.python.org/mailman/listinfo/python-list