* Danny Yoo <[EMAIL PROTECTED]> [060920 10:41]: > > query1 = """SELECT ABC FROM %s limit %s,%s"""\ > > % (self.tableid,self.rangeid1,self.rangeid2) > > Just as a note: please don't do this! *grin* > > Don't build query strings up like this: this is very prone to an SQL > injection attack. See: > > http://mail.python.org/pipermail/tutor/2003-April/022010.html
I'm glad you brought this up: Was talking to my partner about this. He's a perl programmer, and he told me that (if I understood him correctly) that the programmer is required by perl to use the 'prepare' function in the perl DBI prior to sending a select statement. If not done (again, if I understood him correctly) an exception is thrown. Is this correct? Now I'm off to writting a little 'script nanny' to check my python files for usage of Paramstyle. thanks tim > which talks about this a bit more. > _______________________________________________ > Tutor maillist - Tutor@python.org > http://mail.python.org/mailman/listinfo/tutor -- Tim Johnson <[EMAIL PROTECTED]> http://www.alaska-internet-solutions.com _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor