On Thu, 2006-10-12 at 14:46 -0700, johnf wrote: > On Thursday 12 October 2006 07:14, Jason Massey wrote: > > On 10/12/06, johnf <[EMAIL PROTECTED]> wrote: > > > On Thursday 12 October 2006 00:31, Alan Gauld wrote: > > > > > query = "SELECT * FROM DB WHERE NAME = %s" % (name) > > > > > cursor.execute(query) (snipped) > > > > query = "SELECT * FROM DB WHERE NAME = %s" > > > > cursor.execute(query, name) (snipped) > OK from what I understand you are concerned with "SQL injection". But I > don't > see the difference between the two statements preventing "SQL injection".
Suppose name = 'x"; DELETE FROM DB; SELECT COUNT(*) FROM DB; SELECT FROM DB WHERE NAME = "x' The first version will simply build a string with the SQL command interpolating name. The where quote (") gets closed and semicolons separate SQL commands. The sequence of commands gets executed. The second version will escape the quotes and semicolons in the name string. You will simply try to match a rather odd looking name. You could do the escaping yourself before doing the string interpolation, but the DB module is already set up to do the work for you. > Can someone explain. > > John > _______________________________________________ > Tutor maillist - Tutor@python.org > http://mail.python.org/mailman/listinfo/tutor -- Lloyd Kvam Venix Corp _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor