On Fri, Nov 11, 2016 at 2:36 AM, Michael Torrie <torr...@gmail.com> wrote: > On 11/10/2016 06:15 AM, Dennis Lee Bieber wrote: >> On Wed, 9 Nov 2016 21:05:50 -0800 (PST), sudeeratechn...@gmail.com >> declaimed the following: >> >>> >>> sql = "insert into beacon VALUES(null, '%s')" % \ >>> (beacon) >>> >> DON'T DO THAT... > > Wouldn't hurt to include a brief why on this, and the right way to do > this. The why is, of course, that this operation is vulnerable to SQL > injection. This should be avoided as a matter of practice, even if > you're not taking input from anyone but yourself. The correct way to do > this is to use a prepared statement. And of course the relevant xkcd > is: https://xkcd.com/327/
The easiest way is to use a parameterized query: cur.execute("insert into beacon VALUES(null, %s)", (beacon,)) I don't understand why so many people conflate parameterized with prepared. "Prepared statements" have a two-step execution. "Parameterized queries" needn't. ChrisA -- https://mail.python.org/mailman/listinfo/python-list