Hi,
Thanks you guys for the replies and thanks Kent for the explanation, and
yes, this:
self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name, ))
using the comma did make it work.
On Fri, Sep 18, 2009 at 3:40 PM, Jeff Johnson <j...@dcsoftware.com> wrote:
> Thanks for the clarification Kent!
>
>
> Kent Johnson wrote:
>
>> On Fri, Sep 18, 2009 at 2:14 PM, Jeff Johnson <j...@dcsoftware.com>
>> wrote:
>>
>>> Kent:
>>>
>>> How about this:
>>> self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME = '%s'" %
>>> (name,
>>> ))
>>>
>>
>> No, that has the same result as your original. For example,
>> In [3]: name = "Kent'; drop table Stories;--"
>>
>> In [4]: "SELECT CUSTID FROM Stories WHERE NAME = '%s'" % (name, )
>> Out[4]: "SELECT CUSTID FROM Stories WHERE NAME = 'Kent'; drop table
>> Stories;--'"
>>
>> Oops.
>>
>> Question, does execute know to substitute the question mark with name?
>>> self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name, ))
>>>
>>
>> Yes, and it will correctly quote name according to the conventions of
>> the database in use. (Note that not all DB-API implementations use ?
>> as the placeholder; check the docs for the db you are using.)
>>
>> Kent
>>
>
> --
> Jeff
>
> Jeff Johnson
> j...@dcsoftware.com
> Phoenix Python User Group - sunpigg...@googlegroups.com
>
--
Cheers,
Krissy
-----------------------------------------------------------------------
Testing the waters is always fun...
_______________________________________________
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor
