Thanks for the clarification Kent!
Kent Johnson wrote:
On Fri, Sep 18, 2009 at 2:14 PM, Jeff Johnson <j...@dcsoftware.com> wrote:
Kent:
How about this:
self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME = '%s'" % (name,
))
No, that has the same result as your original. For example,
In [3]: name = "Kent'; drop table Stories;--"
In [4]: "SELECT CUSTID FROM Stories WHERE NAME = '%s'" % (name, )
Out[4]: "SELECT CUSTID FROM Stories WHERE NAME = 'Kent'; drop table Stories;--'"
Oops.
Question, does execute know to substitute the question mark with name?
self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name, ))
Yes, and it will correctly quote name according to the conventions of
the database in use. (Note that not all DB-API implementations use ?
as the placeholder; check the docs for the db you are using.)
Kent
--
Jeff
Jeff Johnson
j...@dcsoftware.com
Phoenix Python User Group - sunpigg...@googlegroups.com
_______________________________________________
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor
