On 8/4/2010 4:40 PM, Νίκος wrote:
cursor.execute( ''' SELECT host, hits, date FROM visitors WHERE
page
= '%s' ORDER BY date DESC ''' % (page) )
Don't do string substitution ("%") on SQL statements. Let MySQLdb do it
for you, with proper escaping:
cursor.execute('''SELECT host, hits, date FROM visitors WHERE page=%s
ORDER BY date DESC''', (page,))
The difference is that if some external source can control "page", and
they put in a value like
100 ; DELETE FROM visitors; SELECT * FROM visitors
you just lost your data.
John Nagle
--
http://mail.python.org/mailman/listinfo/python-list
