in the pgsql its something like
cursor.execute('''insert into USERS VALUES(%s)''' % (userinput))
will automaticlly escape the string
Won't python substitute userinput into the string before cursor.execute() gets a chance to do any escaping?
Shouldn't it be
cursor.execute('''insert into USERS VALUES(%s)''', [userinput])or something like that?
Nick
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Webware-discuss mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/webware-discuss
