Alan Gauld wrote: > Hi John, > > I've no idea why its not working but this illustrates why I prefer to create > the sql string outside the execute - its a lot easier to debug when you can > print the string exactly as passed to execute. I know many others like to > leave execute to do the escaping stuff but I prefer to see what I'm doing > and put in a little extra effort. > > So I would write it as: > > query = '''UPDATE cost_grid > SET cost_1 = %s > WHERE cost_grid_id = %s > AND finish_dro = %s'''' % ( a,c,b) > c.execute(query)
Yikes! Alan! Certainly you know what an SQL injection attack is? And what if the data contains special characters? For those who don't know, imagine what happens in the above if b = '91.4; drop table cost_grid;' or even b = 'a;b;"c"update' Kent _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor
