On Fri, Jul 16, 2010 at 10:09 AM, MRAB <[email protected]> wrote:
> Victor Subervi wrote:
>
>> Hi;
>> I have the following code:
>>
>> cursor.execute('select MyTable from optionsDetails where Store=%s',
>> (store,))
>> options_tables = [item[0] for item in cursor]
>> for table in options_tables:
>> cursor.execute('select * from %' % table)
>>
>> Should be:
>
> 'select * from %s' % table
>
> Details! :-)
LOL. Whoops. Thanks.
>
>
> You can already see what my question is. One of y'all said it's possible
>> under certain conditions to use the % without risking attack. Now is when I
>> need to know how to do that. Please advise.
>>
>> It's safe when there's no way that the value you're putting in can come
> from the user.
>
> Here you're taking it from the 'optionsDetails' table. Can the user add,
> alter or delete that entry in any way?
>
No, and that's kind of what I figured. Thanks!
beno
--
http://mail.python.org/mailman/listinfo/python-list
