On Thu, 2006-10-12 at 06:19 -0700, johnf wrote: > On Thursday 12 October 2006 00:31, Alan Gauld wrote: > > > query = "SELECT * FROM DB WHERE NAME = %s" % (name) > > > cursor.execute(query) > > > > There can be security issues with this style, especially > > if the parameters can be modified by users - for example > > you read the values from a web page. > > > > The cursor.execute() call has the ability to pass the parameters > > in directly, ie combining the two statements above into one. > > The details of how ypou do that varies between database > > drivers so you need to check the documents but I think for > > MySQL its almost an exact translation: > > > > query = "SELECT * FROM DB WHERE NAME = %s" > > cursor.execute(query, name) > > > > If you search the ist archives you'll find a fairly long thread > > describing the whys/wherefores in much more depth. > > > > HTH, > Since the archive is large - could you provide the subject title.
http://www.google.com/search?hl=en&q=cursor.execute+tutor+python&btnG=Google+Search The above google search should get you pretty close. It is looking for: cursor.execute tutor python In particular, this link (from the first page) http://www.mail-archive.com/tutor@python.org/msg15716.html is probably part of the thread you want. > > Thanks > John > _______________________________________________ > Tutor maillist - Tutor@python.org > http://mail.python.org/mailman/listinfo/tutor -- Lloyd Kvam Venix Corp _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor
