Hi Juan,
On Mon, Oct 20, 2014 at 10:04 AM, Juan Christian <juan0christ...@gmail.com> wrote: > I have this code (http://pastebin.com/Q21vQdHZ): > > import sqlite3 [code cut] > def insert_db(_id, url, author, message): > db.execute("INSERT INTO TOPICS (ID, URL, AUTHOR, MESSAGE) VALUES ({}, > {}, {}, {})".format(_id, url, author, message)) [code cut] Ah. Do not use normal string formatting when you're dealing with SQL. In web programming, we can introduce script injection problems when we use naive string concatenation. Unsurprisingly, the same class of injection attack can be done in SQL when we use naive string concatenation to build SQL statements. See: http://xkcd.com/327/ I'm being serious! :P Look for the concept of "prepared statements" or "parameter substitution" or "placeholder" in the sqllite3 Python bindings: it should let you safely construct the statement templates. In the documentation here: https://docs.python.org/2/library/sqlite3.html search for the word "placeholder", and you should see the relevant material. _______________________________________________ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
