On 8/4/2010 4:40 PM, Νίκος wrote:
cursor.execute( ''' SELECT host, hits, date FROM visitors WHERE page = '%s' ORDER BY date DESC ''' % (page) )
Don't do string substitution ("%") on SQL statements. Let MySQLdb do it for you, with proper escaping:
cursor.execute('''SELECT host, hits, date FROM visitors WHERE page=%s ORDER BY date DESC''', (page,)) The difference is that if some external source can control "page", and they put in a value like 100 ; DELETE FROM visitors; SELECT * FROM visitors you just lost your data. John Nagle -- http://mail.python.org/mailman/listinfo/python-list