Victor Subervi wrote:
Hi;
I have the following code:
cursor.execute('select MyTable from optionsDetails where Store=%s',
(store,))
options_tables = [item[0] for item in cursor]
for table in options_tables:
cursor.execute('select * from %' % table)
Should be:
'select * from %s' % table
Details! :-)
You can already see what my question is. One of y'all said it's possible
under certain conditions to use the % without risking attack. Now is
when I need to know how to do that. Please advise.
It's safe when there's no way that the value you're putting in can come
from the user.
Here you're taking it from the 'optionsDetails' table. Can the user add,
alter or delete that entry in any way?
--
http://mail.python.org/mailman/listinfo/python-list
