Am 22.05.2010 18:09, schrieb Adam Tauno Williams:
On Sat, 2010-05-22 at 18:06 +0200, Christian Heimes wrote:
A lister recently responded to my post concerning mysl commands of the
following type:
cursor.execute('insert into foo values (%s, %s)' % (bar, something))
stating that I need to eliminate the "%" to prevent injection attacks, thus:
cursor.execute('insert into foo values (%s, %s)', (bar, something))
My question is simply this: Is that advice good for *all* mysql commands? Or
are there some where the "%" is necessary and a comma would fail? I need to
update lots of mysql commands. If I can do it without harmful consequences,
I'll do it across the board. Otherwise, I'll have to test each one.
TIA,
beno
You *MUST NOT* use string formatting for SQL commands unless you
+1
And they are hideous code.
Use an ORM:<http://freshmeat.net/projects/sqlalchemy>
How about using a proper RDBMS that supports SQL standards, triggers,
foreign keys and functions first? :)
--
http://mail.python.org/mailman/listinfo/python-list
