Re: [Webware-discuss] SQL escaping

[Aaron Held]

You are right,
here is some real code (a business critial function to slap upsell text 
based on who you are)

def getUserMessages(user):
   '''pass me a user object and I'll return a
   list of message dictionaries'''
   messages=[]
   conn=datapool.getConnection()
   c=conn.cursor()
   sql = """select title,message from welcome_messages where
               (target=%(userName)s OR target='everyone' OR 
target=%(company)s)
           """
   params = {'userName':user.name,'company':user.company}
   c.execute(sql,params)
   rall=c.fetchall()
   for r in rall:
       message = {'title':r.title,'message':r.message}
       messages.append(message)
   return messages

-Aaron
Nick Murtagh wrote:
Aaron Held wrote:
in the pgsql its something like
   cursor.execute('''insert into USERS VALUES(%s)''' % (userinput))
will automaticlly escape the string

Won't python substitute userinput into the string before
cursor.execute() gets a chance to do any escaping?
Shouldn't it be
  cursor.execute('''insert into USERS VALUES(%s)''', [userinput])
or something like that?
Nick
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital 
self defense, top technical experts, no vendor pitches, unmatched 
networking opportunities. Visit www.blackhat.com
_______________________________________________
Webware-discuss mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/webware-discuss

--
-Aaron
http://www.MetroNY.com/
If the car industry behaved like the computer industry 
over the last 30 years,  a Rolls-Royce would cost $5, 
get 300 miles per gallon, and blow up once a year 
killing all passengers inside.


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Webware-discuss mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/webware-discuss