On Friday 11 January 2008 09:14:25 am Simone wrote: > johnf ha scritto: > > But the above does not work when I use variables instead of strings as in > > > > tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as > > seq", ( tableName, fieldName ) ) > > > > So how am I suppose to prevent SQL injections????? > > Try tu use '?' instead of %s, like this: > > tempCursor.execute ( "Select pg_get_serial_sequence ( ?, ? ) as seq", ( > tableName, fieldName ) ) > > For further information see PEP 249 > (http://www.python.org/dev/peps/pep-0249/) > > HTH! > > Simone
Thanks I think I see the issue. The Qmark etc.. was the clue. -- John Fabiani _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor
