On Wed, 2006-09-20 at 15:46 -0600, Mike Hansen wrote: > > > -----Original Message----- > > Subject: Re: [Tutor] Python CGI Script > > > > > query1 = """SELECT ABC FROM %s limit %s,%s"""\ > > > % (self.tableid,self.rangeid1,self.rangeid2) > > > > Just as a note: please don't do this! *grin* > > > > Don't build query strings up like this: this is very prone to an SQL > > injection attack. See: > > > > http://mail.python.org/pipermail/tutor/2003-April/022010.html > > > > which talks about this a bit more. > > _______________________________________________ > > > > I just wanted to verify what I believe to be correct way of doing this. > > sql_statement = "INSERT INTO images (image) VALUES (%s)" > cur.execute(sql_statement, (data_obj, )) > > Is it just moving the variable substitution to the execute statement as > a tuple, so it will perform the proper quoting?
Yes, this looks good. (Looks like MySQL paramstyle.) > > Thanks, > > Mike > _______________________________________________ > Tutor maillist - Tutor@python.org > http://mail.python.org/mailman/listinfo/tutor -- Lloyd Kvam Venix Corp _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor