29.08.2009 17:26 пользователь Tim Chase <python.l...@tim.thechases.com>
написал:
ivanko....@gmail.com wrote:
29.08.2009 15:40 пользователь "Sergio Charpinel Jr."
sergiocharpi...@gmail.com> написал:
Thanks.
Do you know if both of them works for mysql too?
2009/8/29 ivanko....@gmail.com>
29.08.2009 15:27 пользователь "Sergio Charpinel Jr."
sergiocharpi...@gmail.com> написал:
Actually, this works for any string (it doesn't depend on anything else).
So you can pass "somestring {0}".format(foo) to any function because the
string will be formatted _first_ and then passed as an argument. The same
goes with "somestring %s" % "foo". Both will work
Bad idea when assembling SQL, unless you _like_ SQL-injection attacks:
sql = "select * from users where name='%s' and password='%s'"
# get some values from an untrusted user:
name = "administrator"
password = "' or 1=1; drop table users; --"
cursor.execute(sql % (name, password))
# uh-oh!
This is why it's so important to use the DB API's own escaping functions.
-tkc
Sergio, Tim Chase is absolutely right! What you can do here is check every
field separately OR you can modify the format() method to automatically do
that. In the second case, you need to create your method first and then
assign it to the str.format method like that: str.format =
your_format_method . Note that there are NO parenthesis. For more details,
look at this recipe: http://code.activestate.com/recipes/92823/ . I think
it will simplify the things for you later, as every time you will call the
str.format method, the values will be checked automatically.
--
http://mail.python.org/mailman/listinfo/python-list
