BartlebyScrivener wrote:
> This can't be the most elegant way to get a command line parameter into
> an sql query. It works but I can't explain why. Is there another, more
> correct way? Here sys.argv[1] is a topic like "laugher" or "technology"
>
> import mx.ODBC.Windows as odbc
> import sys
>
> driv='DRIVER={Microsoft Access Driver (*.mdb)};DBQ=d:/Access
> Databases/Quotations2005'
>
> conn = odbc.DriverConnect(driv)
> c = conn.cursor()
>
> c.execute ("SELECT Author, Topics.Topic1, Topic2, Quote FROM QUOTES7
> WHERE Topics.Topic1 LIKE '%%%s%%'" % sys.argv[1])
>
> rows = c.fetchall()
>
Try
c.execute ("""SELECT Author, Topics.Topic1, Topic2, Quote FROM QUOTES7
WHERE Topics.Topic1 LIKE ?""", ("%"+sys.argv[1],)
First, note that mx.ODBC uses paramstyle qmark bydefault. If you look in
the DB API manual you'll see that the cursor execute() method can take a
second argument which is a tuple of data values to replace the parameter
marks in the statement.
The parameterised query is the best way to avoid the potential for "SQL
injection" exploits against your program.
regards
Steve
--
Steve Holden +44 150 684 7255 +1 800 494 3119
Holden Web LLC www.holdenweb.com
PyCon TX 2006 www.python.org/pycon/
--
http://mail.python.org/mailman/listinfo/python-list
