> query = "SELECT * FROM DB WHERE NAME = %s" % (name) > cursor.execute(query)
There can be security issues with this style, especially if the parameters can be modified by users - for example you read the values from a web page. The cursor.execute() call has the ability to pass the parameters in directly, ie combining the two statements above into one. The details of how ypou do that varies between database drivers so you need to check the documents but I think for MySQL its almost an exact translation: query = "SELECT * FROM DB WHERE NAME = %s" cursor.execute(query, name) If you search the ist archives you'll find a fairly long thread describing the whys/wherefores in much more depth. HTH, -- Alan Gauld Author of the Learn to Program web site http://www.freenetpages.co.uk/hp/alan.gauld _______________________________________________ Tutor maillist - [email protected] http://mail.python.org/mailman/listinfo/tutor
