On 14-Jan-11 09:03, Jason Staudenmayer wrote:
Don't build you sql separate from the execute (or so I was told when I was doing something similar) cur.execute(INSERT INTO tkindbtal (kommune, komnr, i2005, i2006, i2007 \ , i2008, i2009, i2010) VALUES (%s, %s, %s, %s, %s, %s,\ %s, %s)% (cols[0], cols[1], int(cols[2]), int(cols[3]), int(cols[4]), \ int(cols[5]), int(cols[6]), int(cols[7]))
It's generally bad practice to simply paste string values together to include values into SQL, such as the code above (using % formatting).
You need to properly escape the data strings. Most SQL interfaces in Python offer methods for this, either as individual string operation or by allowing "place holder" values in the SQL query which discrete values are then added to as separate arguments (so the SQL library escapes them for you automatically).
The danger is if the data strings include SQL syntax like quotes or whatever, it can invalidate your SQL query, making it fail. A malicious user who can feed you those data values can deliberately design them to actually do whatever they want to your database.
_______________________________________________ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: http://mail.python.org/mailman/listinfo/tutor
