[web2py] Re: Are executesql parameters escaped?
Thank you!
On Friday, January 13, 2017 at 8:59:35 AM UTC+1, Niphlod wrote:
>
> when you do that, you're passing 'string'.format() (which is a string) to
> executesql.
>
> the proper way is to use parameters!!!
>
> db.executesql('select * from auth_user where id = ?', placeholders=(1, ),
> as_dict=True)
>
> the nitty gritty details of the syntax depend on the driver parameter
>
> On Thursday, January 12, 2017 at 2:46:28 PM UTC+1, Jorrit wrote:
>>
>> When I use *db.executesql* like so:
>>
>> birthdays = db.executesql("SELECT * FROM auth_user WHERE
>> DAYOFYEAR(curdate() -2) < dayofyear(dateOfBirth) "
>> "AND DAYOFYEAR(curdate()) +7 >=
>> dayofyear(dateOfBirth) "
>> "AND employeeState_id = {1} AND location_id IN
>> (SELECT location_id FROM clusterLocation WHERE cluster_id={0}) ORDER BY
>> MONTH(dateOfBirth), "
>> "DAY(dateOfBirth);".format(cluster, active_id),
>> as_dict=True)
>>
>>
>> ...are the cluster and active_id parameters SQL-escaped? If not what is
>> the best way to do this?
>>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[web2py] Re: Are executesql parameters escaped?
when you do that, you're passing 'string'.format() (which is a string) to
executesql.
the proper way is to use parameters!!!
db.executesql('select * from auth_user where id = ?', placeholders=(1, ),
as_dict=True)
the nitty gritty details of the syntax depend on the driver parameter
On Thursday, January 12, 2017 at 2:46:28 PM UTC+1, Jorrit wrote:
>
> When I use *db.executesql* like so:
>
> birthdays = db.executesql("SELECT * FROM auth_user WHERE DAYOFYEAR(curdate()
> -2) < dayofyear(dateOfBirth) "
> "AND DAYOFYEAR(curdate()) +7 >=
> dayofyear(dateOfBirth) "
> "AND employeeState_id = {1} AND location_id IN
> (SELECT location_id FROM clusterLocation WHERE cluster_id={0}) ORDER BY
> MONTH(dateOfBirth), "
> "DAY(dateOfBirth);".format(cluster, active_id),
> as_dict=True)
>
>
> ...are the cluster and active_id parameters SQL-escaped? If not what is
> the best way to do this?
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
