Povodne tam bolo:
 "SELECT * FROM users WHERE name='root' AND password=%s" % password
a treba aby sa to spustalo:
cursor.execute( "SELECT * FROM users WHERE name='root' AND
password=%s", password)

DB API pouziva %s ako placeholdery namiesto ?

2009/3/19 Dan Pressl <nu.f...@gmail.com>:
> Ja nechci rejpat, ale nemelo by misto:
>
> %s
>
> byt spis:
>
> ?
>
> aby nemohlo dojit tak snadno k SQL Injection ?
>
> 2009/3/19  <calis.mar...@seznam.cz>:
>> Dobrý den, mám problémy se spoluprací se sql serverem:
>>
>> server my vrací chybu:
>> ProgrammingError: (1064, 'You have an error in your SQL syntax; check the 
>> manual that corresponds to your MySQL server version for the right syntax to 
>> use near 
>> \'\xa1A\x91k\xc7\xde\x17M\xe0j\xec\xc2\xf1(,iq|\x839;&\x17\xc4\xc1\xcc\x04\x93\x0e\xc81R\xf5UB&\xd1\xaf\xb4P"\'
>>  at line 1')
>>
>>
>> při interpretaci:  "SELECT * FROM users WHERE name='root' AND password=%s" % 
>> password
>>
>
>
> --
> ^nu.friX
> aka Dan Pressl
> Reality is useless & F4Q DMNC!!!
> Every syntax creates code. And code is poetry.
> _______________________________________________
> Python mailing list
> Python@py.cz
> http://www.py.cz/mailman/listinfo/python
>
_______________________________________________
Python mailing list
Python@py.cz
http://www.py.cz/mailman/listinfo/python

Odpovedet emailem