Kostas5904 <trapalis-1zCj/[EMAIL PROTECTED]> wrote:
But...
When I ask a value from the user and I try to store it into the same
table,
I run the following code
........
item=dialog.GetValue()
table="names1"
cols="id,descr,type"
values=("null",item,3)
a="insert into %s (%s) values %s" % (table,cols,values)
cursor.execute(a)
and I get the error:
pysqlite2.dbapi2.OperationalError: near
"'\u03b1\u03bd\u03c4\u03ce\u03bd\u03b7\u03c2'": syntax error
Inspect the value of 'a' variable right before execute() call. You'll
find it's all wrong. The values must be in parentheses, string literals
must be quoted. While we are at it, in SQL string literals should be
quoted with single quotes. SQLite allows double quotes as an extension,
but it is bad practice to rely on that.
Better still, use parameterized query and bind your values to
parameters. Your approach is wide open to SQL injection attack. Consider
what happens if I type the following into the dialog field:
sometext", 3); delete from names1; --
See what kind of statement you are going to construct and run given this
input.
Even if I'm not being malicious, consider what happens if I innocently
put text containing quotes into the description field.
Igor Tandetnik
-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------
