Igor Tandetnik wrote:
Kostas5904 <trapalis-1zCj/[EMAIL PROTECTED]> wrote:
But...
When I ask a value from the user and I try to store it into the same
table,
I run the following code
........
item=dialog.GetValue()
table="names1"
cols="id,descr,type"
values=("null",item,3)
a="insert into %s (%s) values %s" % (table,cols,values)
cursor.execute(a)
and I get the error:
pysqlite2.dbapi2.OperationalError: near
"'\u03b1\u03bd\u03c4\u03ce\u03bd\u03b7\u03c2'": syntax error
Inspect the value of 'a' variable right before execute() call. You'll
find it's all wrong. The values must be in parentheses, string
literals must be quoted. While we are at it, in SQL string literals
should be quoted with single quotes. SQLite allows double quotes as an
extension, but it is bad practice to rely on that.
Actually it's not as bad as it looks at first. :-)
He is using Python to convert the tuple "values" into its string
representation. This adds the required parentheses and quotes the value
of the string member item appropriately. The null value will be quoted
as a string literal as well, instead of a bare keyword null, which is a
problem. The real problem is that the string representation of a unicode
string in Python is not recognized by SQLite. It simply doesn't
understand the \uDDDD escape sequences.
Because of this I don't think this technique can be used to build a
suitable statement this way. You could try
v="(%s, '%s', %s)" % values
a="insert into %s (%s) values %s" % (table,cols,v)
cursor.execute(a)
which will embed the unicode string in another string, v, which avoid
the builtin conversion from a tuple to a string.
Better still, use parameterized query and bind your values to
parameters. Your approach is wide open to SQL injection attack.
Consider what happens if I type the following into the dialog field:
sometext", 3); delete from names1; --
See what kind of statement you are going to construct and run given
this input.
Even if I'm not being malicious, consider what happens if I innocently
put text containing quotes into the description field.
This really is a better idea, but I'm not sure how you do it from the
Python wrapper.
HTH
Dennis Cote
-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------
