python in this form uses BIND variables.. >>query = '''UPDATE cost_grid >> SET cost_1 = %s <--- %s = the bind variable placeholder/formatter >> WHERE cost_grid_id = %s >> AND finish_dro = %s'''' % ( a,c,b) <--- the raw tuple
That is, what is provided to python in the tuple following , is formatted as specified by the %s , and as such, is a formatted string (special characters are properly esscaped), and as far as sql query is concerned, it is escaped safely.. I tested this before, when I first started working with python - Not a problem at all. In fact, I also wrote a custom database class in PHP that mimics this exact same functionality.. and in all my testing, not a single SQL injection has succeeded :) Basically whatever the value may be is formatted to a string, and escaped if necessary for special chars. Kent Johnson wrote: > Alan Gauld wrote: > >>Hi John, >> >>I've no idea why its not working but this illustrates why I prefer to create >>the sql string outside the execute - its a lot easier to debug when you can >>print the string exactly as passed to execute. I know many others like to >>leave execute to do the escaping stuff but I prefer to see what I'm doing >>and put in a little extra effort. >> >>So I would write it as: >> >>query = '''UPDATE cost_grid >> SET cost_1 = %s >> WHERE cost_grid_id = %s >> AND finish_dro = %s'''' % ( a,c,b) >>c.execute(query) > > > Yikes! Alan! Certainly you know what an SQL injection attack is? And > what if the data contains special characters? > > For those who don't know, imagine what happens in the above if > b = '91.4; drop table cost_grid;' > > or even > b = 'a;b;"c"update' > > Kent > > _______________________________________________ > Tutor maillist - [email protected] > http://mail.python.org/mailman/listinfo/tutor > > !DSPAM:44422c98294101990911452! > > _______________________________________________ Tutor maillist - [email protected] http://mail.python.org/mailman/listinfo/tutor
