On Thursday 12 October 2006 00:31, Alan Gauld wrote: > > query = "SELECT * FROM DB WHERE NAME = %s" % (name) > > cursor.execute(query) > > There can be security issues with this style, especially > if the parameters can be modified by users - for example > you read the values from a web page. > > The cursor.execute() call has the ability to pass the parameters > in directly, ie combining the two statements above into one. > The details of how ypou do that varies between database > drivers so you need to check the documents but I think for > MySQL its almost an exact translation: > > query = "SELECT * FROM DB WHERE NAME = %s" > cursor.execute(query, name) > > If you search the ist archives you'll find a fairly long thread > describing the whys/wherefores in much more depth. > > HTH, Since the archive is large - could you provide the subject title.
Thanks John _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor