On Friday 11 January 2008 10:20:13 am Alan Gauld wrote:
> "johnf" <[EMAIL PROTECTED]> wrote
>
> > and should be doing
> > tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
> > seq", ( 'public.arcust', 'pkid' ) )
> >
> > which prevented SQL injection.
>
> The syntax of the execute statement varies by database
> Which DB are you using. For example SQLite uses ?
> instead of %s indicators.
>
> Could that be the issue? Have you checked the DB-API
> guide for your database?
>
> HTH,
I spoke to soon. Where can I find the DB-API for postgres? Because the only
way I can get this to work is using ('%s') and it does not work with (%s).
BTW where I'm doing my testing is with a SELECT statement.
below does not work
mySQL= "Select fieldname from tableName where str_field = %s" % (myVar,)
but this works
mySQL= "Select fieldname from tableName where str_field = '%s' " % (myVar,)
--
John Fabiani
_______________________________________________
Tutor maillist - Tutor@python.org
http://mail.python.org/mailman/listinfo/tutor
