On Apr 30, 2013, at 10:05 AM, Max Voß <[email protected]> wrote:
> tmpCursor.execute("SELECT rechnung_position.name, preis, anzahl FROM
> rechnung INNER JOIN rechnung_position ON rechnung.id=rechnung_id WHERE
> re chnung.id=%i ORDER BY position" %
> (self.Form.getBizobj("rechnung").getPK()))
Generally, doing the direct substitution of the parameters in the SQL
statement is a bad idea, as it opens the code up to all sorts of SQL injection
attacks. I would try just using '%s' as the placeholder for the parameters, and
include a tuple of the parameters you need. This would look like:
pk = self.Form.getBizobj("rechnung").getPK()
sql = """SELECT rechnung_position.name, preis, anzahl
FROM rechnung
INNER JOIN rechnung_position ON rechnung.id=rechnung_id
WHERE rechnung.id=%s
ORDER BY position"""
tmpCursor.execute(sql, (pk, ))
See if that works better for you.
-- Ed Leafe
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/dabo-users
Searchable Archives: http://leafe.com/archives/search/dabo-users
This message:
http://leafe.com/archives/byMID/[email protected]
