On Thursday 12 October 2006 07:14, Jason Massey wrote: > On 10/12/06, johnf <[EMAIL PROTECTED]> wrote: > > On Thursday 12 October 2006 00:31, Alan Gauld wrote: > > > > query = "SELECT * FROM DB WHERE NAME = %s" % (name) > > > > cursor.execute(query) > > > > > > There can be security issues with this style, especially > > > if the parameters can be modified by users - for example > > > you read the values from a web page. > > > > > > The cursor.execute() call has the ability to pass the parameters > > > in directly, ie combining the two statements above into one. > > > The details of how ypou do that varies between database > > > drivers so you need to check the documents but I think for > > > MySQL its almost an exact translation: > > > > > > query = "SELECT * FROM DB WHERE NAME = %s" > > > cursor.execute(query, name) > > > > > > If you search the ist archives you'll find a fairly long thread > > > describing the whys/wherefores in much more depth. > > > > > > HTH, > > > > Since the archive is large - could you provide the subject title. > > > > Thanks > > John > > _______________________________________________ > > Tutor maillist - Tutor@python.org > > http://mail.python.org/mailman/listinfo/tutor > > Forgot to forward to the list... > > Check out this posting from Danny: > > http://mail.python.org/pipermail/tutor/2003-April/022010.html OK from what I understand you are concerned with "SQL injection". But I don't see the difference between the two statements preventing "SQL injection". Can someone explain.
John _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor
