On 7/7/2010 11:52 AM, Stephen Hansen wrote:
On 7/7/10 11:38 AM, Victor Subervi wrote:
Hi;
I have this code:
sql = 'insert into personalDataKeys values (%s, %s, %s)' % (store,
user, ', %s'.join('%s' * len(col_vals))
cursor.execute(sql, col_vals)
Bad approach. Don't put actual data into an SQL statement using
string parameter substitution. Try this:
values = (store, user) + tuple(col_vals) # all values to be inserted
valuesql = ",".join(["%s"]*len(values)) # '%s,%s,%s,%s,%s,%s'
sql = "INSERT INTO personaldatakeys VALUES (" + valuesql + ")"
cursor.execute(sql, values) # execute INSERT
"valuefields" is always some number of repeats of comma-separated "%s"
Anything in "values" will be escaped properly. No SQL injection
vulnerability.
John Nagle
--
http://mail.python.org/mailman/listinfo/python-list
