MRAB wrote:
Victor Subervi wrote:
Hi;
mysql> truncate tem126072414516;
Query OK, 0 rows affected (0.00 sec)
Then I run a script:
if whatDo == 'insert':
try:
sql = 'insert into %s (ProdID, Quantity) values ("%s", "%s");' %
(tmpTable, prodid, quantity)
print sql
cursor.execute(sql)
Don't put values into an SQL statement using the "%" operator. It doesn't
do SQL escapes and allows SQL injection attacks.
Try something more like this (assuming that tmpTable does NOT come
from external input, which would be very risky).
cursor = db.cursor() ## create cursor
sql = 'insert into ' + tmpTable + ' (ProdID, Quantity) values (%s,%s);'
values = (prodid, quantity) ## values to insert
print sql
cursor.execute(sql, values) ## let SQL do the substitution
db.commit() ## commit transaction
1. The table names look different.
2. Did you commit the changes?
That, too.
John Nagle
--
http://mail.python.org/mailman/listinfo/python-list
