johnf ha scritto: > But the above does not work when I use variables instead of strings as in > > tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as > seq", ( tableName, fieldName ) ) > > So how am I suppose to prevent SQL injections?????
Try tu use '?' instead of %s, like this: tempCursor.execute ( "Select pg_get_serial_sequence ( ?, ? ) as seq", ( tableName, fieldName ) ) For further information see PEP 249 (http://www.python.org/dev/peps/pep-0249/) HTH! Simone Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor
