Matteo Boscolo wrote: > try: > myQuery ="""your sql code """%((‘foo’, ‘bar’)) > and then > cursor.execute(myQuery)
No, no, no! Don't EVER do that. The whole reason these parameter substitution schemes exist is because it prevents code like this, which is open to SQL injection attacks. The only time you should be using Python's % substitution with SQL is when you need to supply table or field names, and even then you need to be careful if the names came from user input. Any time you are supplying a data value, you should ALWAYS use the API's substitution scheme. -- Tim Roberts, t...@probo.com Providenza & Boekelheide, Inc. _______________________________________________ python-win32 mailing list python-win32@python.org http://mail.python.org/mailman/listinfo/python-win32
