[email protected] wrote:
29.08.2009 15:40 пользователь "Sergio Charpinel Jr."
<[email protected]> написал:
Thanks.
Do you know if both of them works for mysql too?
2009/8/29 [email protected]>
29.08.2009 15:27 пользователь "Sergio Charpinel Jr."
[email protected]> написал:
Actually, this works for any string (it doesn't depend on anything else).
So you can pass "somestring {0}".format(foo) to any function because the
string will be formatted _first_ and then passed as an argument. The same
goes with "somestring %s" % "foo". Both will work
Bad idea when assembling SQL, unless you _like_ SQL-injection
attacks:
sql = "select * from users where name='%s' and password='%s'"
# get some values from an untrusted user:
name = "administrator"
password = "' or 1=1; drop table users; --"
cursor.execute(sql % (name, password))
# uh-oh!
This is why it's so important to use the DB API's own escaping
functions.
-tkc
--
http://mail.python.org/mailman/listinfo/python-list
