Python Risk
Carey Evans
careye at spamcop.net
Mon May 14 06:43:57 EDT 2001
"Delaney, Timothy" <tdelaney at avaya.com> writes:
> If the user can enter the criteria, you must always assume that they will
> enter both single and double quotes. So you always need to "fix" the data -
> for most SQL databases you double the quotes that match the delimiters, and
> single-quote is the most standard delimiter.
The SQL environments I've come across (DB2/400, PostgreSQL) assign
different meanings to single- and double-quote. Single-quote
surrounds strings, with embedded single-quotes doubled:
'This is Carey''s string.'
while double-quote surrounds field names, etc., that would otherwise
be SQL keywords:
insert into MyTable ("User", Country) values('carey', 'NZ')
Neither 'User' nor "carey" work at all in this statement.
--
Carey Evans http://home.clear.net.nz/pages/c.evans/
"Quiet, you'll miss the humorous conclusion."
More information about the Python-list
mailing list