John Machin wrote: [...] > I note that in the code shown there are examples of building an SQL > query where the table name is concocted at runtime via the % > operator ... key phrases: "bad database design" (one table per > store!), "SQL injection attack" > I'm not trying to defend the code overall, but most databases won't let you parameterize the table or column names, just the data values.
regards Steve -- Steve Holden +1 571 484 6266 +1 800 494 3119 PyCon is coming! Atlanta, Feb 2010 http://us.pycon.org/ Holden Web LLC http://www.holdenweb.com/ UPCOMING EVENTS: http://holdenweb.eventbrite.com/ -- http://mail.python.org/mailman/listinfo/python-list