Hi,
I was recently told I was doing something wrong with my python sql statements.
I was doing
tempCursor.execute("Select pg_get_serial_sequence('%s','%s') as seq
" % ('public.arcust','pkid'))
and should be doing
tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
seq", ( 'public.arcust', 'pkid' ) )
which prevented SQL injection.
But the above does not work when I use variables instead of strings as in
tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
seq", ( tableName, fieldName ) )
So how am I suppose to prevent SQL injections?????
--
John Fabiani
_______________________________________________
Tutor maillist - Tutor@python.org
http://mail.python.org/mailman/listinfo/tutor
