On Fri, Sep 18, 2009 at 2:14 PM, Jeff Johnson <[email protected]> wrote:
> Kent:
>
> How about this:
> self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME = '%s'" % (name,
> ))
No, that has the same result as your original. For example,
In [3]: name = "Kent'; drop table Stories;--"
In [4]: "SELECT CUSTID FROM Stories WHERE NAME = '%s'" % (name, )
Out[4]: "SELECT CUSTID FROM Stories WHERE NAME = 'Kent'; drop table Stories;--'"
Oops.
> Question, does execute know to substitute the question mark with name?
> self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name, ))
Yes, and it will correctly quote name according to the conventions of
the database in use. (Note that not all DB-API implementations use ?
as the placeholder; check the docs for the db you are using.)
Kent
_______________________________________________
Tutor maillist - [email protected]
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor
