this is the only proper way, and it relies on the underlying driver
implementation.
On Tuesday, September 13, 2016 at 5:08:30 PM UTC+2, Lisandro wrote:
>
> Thank you Niphlod.
> I've seen that db.executesql receives the "placeholders" argument in order
> to do the escaping.
> I've modified my
Thank you Niphlod.
I've seen that db.executesql receives the "placeholders" argument in order
to do the escaping.
I've modified my code to this:
def search():
results = db.executesql('SELECT * FROM contenido WHERE tsv @@
plainto_tsquery(%s)', placeholders=[request.vars.q])
return
app/controller/function=everythingyoucanthinkof .
NEVER . EVER. EVER. build queries without proper escaping.
On Monday, September 12, 2016 at 3:12:50 PM UTC+2, Lisandro wrote:
>
> Hi there!
> I have a simple view with a form (with GET method), in order to allow my
> visitors to do some search.
3 matches
Mail list logo