Yeah, that's what I meant by escaping user input. Guess I'll have do something "manually". Because, now that you mention it, I recall that I did some tests a while back and those quotes were an integral part of making them safe.
On Jun 30, 7:39 am, Anand Chitipothu <[email protected]> wrote: > 2010/6/30 Oskar <[email protected]>: > > > Hey! > > > I'm putting together an SQL statement and I want to escape user input > > strings, but I don't want ' ' surrounding them, because they are part > > of a regexp. Is there a way to get rid of the ' ' or is there another > > way to escape user input? > > You can use web.sqlliteral. But it is dangerous to use user input > directly in the queries. > > Have you seenhttp://xkcd.com/327/? -- You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/webpy?hl=en.
