"Jeff Elkins" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Just as an fyi:
>
> In one weekend I have gone from knowing zip about SQL/Python to
implementing
> code on my personal server that emails info to family about birthdays and
> such.
Actually - http://www.pythonweb.org/ wil
On Mon, May 23, 2005 at 04:12:31PM +, Austyn Bontrager wrote:
> How about:
>
> cursor.execute("""
> SELECT name, month, day ,category, city FROM bday
> WHERE %(col_name)s = %%s
> """ % dict(col_name=arg1),
> (arg2)
> )
>
> The "%(col_name)s" will be replaced by n
How about:
cursor.execute("""
SELECT name, month, day ,category, city FROM bday
WHERE %(col_name)s = %%s
""" % dict(col_name=arg1),
(arg2)
)
The "%(col_name)s" will be replaced by normal Python string
substitution, while the "%%s" will be quoted by the db
Steve Holden wrote:
> Jeff Elkins wrote:
>>... cursor.execute("SELECT name, month, day ,category, city "
>> " FROM bday WHERE %s = %s", (arg1,arg2))
>> No results. However, if I hardcode the WHERE argument with a field name:
>>cursor.execute("SELECT name, month, da
Jeff Elkins wrote:
> I'm attempting to pass an SQL query via the console:
>
> $ ./getbd month 05
>
> The arguments get seem to passed correctly (via print statements) and then:
>
> cursor.execute ("""
> SELECT name, month, day ,category, city FROM bday
>
Just as an fyi:
In one weekend I have gone from knowing zip about SQL/Python to implementing
code on my personal server that emails info to family about birthdays and
such. I know I could have installed other *nix programs that would do the
same thing, but so what :)
Thanks so much to the folk
On Saturday 21 May 2005 01:32 pm, Dennis Lee Bieber wrote:
> On Fri, 20 May 2005 23:57:01 -0400, Jeff Elkins
> You have to remember that .execute(), using the (template,
> (arg...)) format, is designed to apply suitable quoting to the
> arguments. It does not parse the SQL to determine if argumen
On Saturday 21 May 2005 04:56 am, Heiko Wundram wrote:
> Am Samstag, 21. Mai 2005 06:54 schrieb Sakesun Roykiattisak:
> > Try
> >
> > cursor.execute (
> > """
> > SELECT name, month, day ,category, city FROM bday
> > WHERE %s = %s
> > """
> > %(arg1,arg2))
>
> *argh* You don't do any quoting
*argh* You don't do any quoting of SQL-parameters, and that's more than bad!
(leaves you up to the mercy of SQL-injection attacks, for example)
I'm aware of the issue. But I think the one who start this question is
too naive to explain anything more complex.
Just give him a hint for fur
Am Samstag, 21. Mai 2005 06:54 schrieb Sakesun Roykiattisak:
> Try
>
> cursor.execute (
> """
> SELECT name, month, day ,category, city FROM bday
> WHERE %s = %s
> """
> %(arg1,arg2))
*argh* You don't do any quoting of SQL-parameters, and that's more than bad!
(leaves you up to the mercy of
Try
cursor.execute (
"""
SELECT name, month, day ,category, city FROM bday
WHERE %s = %s
"""
%(arg1,arg2))
Jeff Elkins wrote:
>I'm attempting to pass an SQL query via the console:
>
>$ ./getbd month 05
>
>The arguments get seem to passed correctly (via print statements) and then:
>
>cu
11 matches
Mail list logo
