ivanko....@gmail.com wrote:
29.08.2009 15:40 пользователь "Sergio Charpinel Jr."
<sergiocharpi...@gmail.com> написал:
Thanks.
Do you know if both of them works for mysql too?
2009/8/29 ivanko....@gmail.com>
29.08.2009 15:27 пользователь "Sergio Charpinel Jr."
sergiocharpi...@gmail.com> написал:
Actually, this works for any string (it doesn't depend on anything else).
So you can pass "somestring {0}".format(foo) to any function because the
string will be formatted _first_ and then passed as an argument. The same
goes with "somestring %s" % "foo". Both will work
Bad idea when assembling SQL, unless you _like_ SQL-injection
attacks:
sql = "select * from users where name='%s' and password='%s'"
# get some values from an untrusted user:
name = "administrator"
password = "' or 1=1; drop table users; --"
cursor.execute(sql % (name, password))
# uh-oh!
This is why it's so important to use the DB API's own escaping
functions.
-tkc
--
http://mail.python.org/mailman/listinfo/python-list
