Trouble with Myqsl
Jon Ribbens
jon+usenet at unequivocal.co.uk
Wed Apr 24 17:05:20 EDT 2002
In article <7uxx8.44918$0x3.9466 at atlpnn01.usenetserver.com>, Steve Holden wrote:
>> curs.execute("""insert into table (col1, col2,...) values ('%s',
>> '%s',...)""" % (val1, val2, ...)
>
> Your version (which I used to suggest myself, so it's not like I'm accusing
> you of a crime <wink>) generates a unique SQL statement which is guranteed
> to be different from the next, and the one after that, depriving the SQL
> implementation of the chance to optimize.
... it is also always a bug, because some characters such as ' will
cause syntax errors, and also, in many situations (for example, web
applications) it is a HUGE SECURITY HOLE since it means the Evil
Hacker can send arbitrary SQL queries to your database server.
More information about the Python-list
mailing list