-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ian Bicking <[EMAIL PROTECTED]> writes:
> More than smells, it is also insecure. When using the raw DB API, you
> should do:
>
> cursor.execute("... WHERE userName = %s", (userName,))
>
> Note the lack of '. The database driver will do the proper qu
Hi,
> -Oorspronkelijk bericht-
> Van: Ian Bicking [mailto:[EMAIL PROTECTED]
> Verzonden: donderdag 30 december 2004 22:47
> > """
> > WHERE userName='%s';
> > """
> > % (userName)
> >
> > merely smells , but
>
> More than smells, it is also insecure. When using the raw DB
> API,
Hi,
> -Oorspronkelijk bericht-
> Van: Ian Bicking [mailto:[EMAIL PROTECTED]
> Verzonden: donderdag 30 december 2004 22:47
> > """
> > WHERE userName='%s';
> > """
> > % (userName)
> >
> > merely smells , but
>
> More than smells, it is also insecure. When using the raw DB
> API,
[EMAIL PROTECTED] wrote:
One remark on ZPT : I quickly scanned docs and I read that ZPT can only be
used for generation of well-formed HTML docs . We use DocumentTemplates also
as 'SQL query templates' (we give the '.dsql' extension) - so ZPT couldn't
fully replace DocumentTemplates as we currently