On Fri, Apr 10, 2009 at 5:26 PM, Mike H wrote:
> Thanks to all of you.
>
> FYI, I'm doing this because I'm working on creating some insert
> statements in SQL, where string values need to be quoted, and integer
> values need to be unquoted.
This is what you should have posted in the first place. Your solution
is entirely the wrong one, because it will break if your input strings
contain the quote character (and suffers from other issues as
well)--this is where SQL injection vulnerabilities come from. The
safe and correct way is to allow your database driver to insert the
parameters into the SQL query for you; it will look something like
this (though the exact details will vary depending on what module
you're using):
cursor.execute('INSERT INTO my_table VALUES (?, ?, ?)', ['test',1,'two'])
-Miles
--
http://mail.python.org/mailman/listinfo/python-list
