Bowen wrote:
> import md5
> import string
> import MySQLdb
>
> tc = raw_input("Teacher Code: ")
> p = raw_input("New Password: ")
>
> print tc
> hash = md5.new()
> hash.update(p)
> print p
> print hash.hexdigest()
> h = hash.hexdigest()
>
> boo = raw_input("Sure you want to update password with above details? Y
> or N: ")
>
> if boo == 'y':
> db = MySQLdb.connect("copweb2", "******", "******", "*******")
> cursor = db.cursor()
> if cursor.execute("UPDATE teachers SET password = '%s' WHERE
> teacher_code = '%s'" % (h, tc)):
> print "Done"
> else:
> print "Error"
> else:
> print "cancelled"
>
> cursor.close()
> db.close()
>
>
> This code doesn't seem to update my database, anyone any idea why? Is
> it me being stupid? It doesn't kick out an error at all.
Another side note: don't build your queries using (dumb) string formatting,
let the MySQLdb module do it for you. More specifically use:
cursor.execute(
"UPDATE teachers SET password = %s WHERE teacher_code = %s",
(h, tc)
)
instead of
cursor.execute(
"UPDATE teachers SET password = '%s' WHERE teacher_code = '%s'"
% (h, tc)
)
The former form takes care of quoting and escaping, your version did not
escape potentially harmful characters in tc, resulting in a possibly opened
door for SQL injection attacks.
--
Benjamin Niemann
Email: pink at odahoda dot de
WWW: http://pink.odahoda.de/
--
http://mail.python.org/mailman/listinfo/python-list
