[web2py] Are executesql parameters escaped?

Jorrit Thu, 12 Jan 2017 05:47:23 -0800

When I use *db.executesql* like so:

birthdays = db.executesql("SELECT * FROM auth_user WHERE  DAYOFYEAR(curdate() 
-2) < dayofyear(dateOfBirth) "
                          "AND DAYOFYEAR(curdate()) +7 >= 
dayofyear(dateOfBirth) "
                          "AND employeeState_id = {1} AND location_id IN 
(SELECT location_id FROM clusterLocation WHERE cluster_id={0}) ORDER BY 
MONTH(dateOfBirth), "
                          "DAY(dateOfBirth);".format(cluster, active_id), 
as_dict=True)



...are the cluster and active_id parameters SQL-escaped? If not what is the 
best way to do this?

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

[web2py] Are executesql parameters escaped?

Reply via email to