Trouble with Myqsl
Jon Ribbens
jon+usenet at unequivocal.co.uk
Wed Apr 24 23:06:45 EDT 2002
In article <aa7meg$84u$0 at 216.39.172.122>, Bengt Richter wrote:
> I just wanted to make it clear that leaving "'" out of the format string
> was not directly for the sake of SQL itself, but more for some intermediating
> software's purposes.
It's because the apostrophes are part of the syntax of the value, and
Python's DB API says that it automatically puts in all the synatx of
the value for you. This is a very good thing, because if it worked the
other way around and you were were expecting, say, a number, so you
didn't put the apostrophes in, but it turns out the value in the
sequence is a string, you suddenly have a security hole.
> I guess I could RTFM, but how do you do a single INSERT with many
> value tuples?
executemany(sql, [params1, params2, params3, ...])
> Next time I want to do something with a DB, I'll have to try it with Python.
> (I used the mySQL C API before).
Hrm, yes, it is much easier building SQL strings in a language where
you don't have to allocate the memory for string operations by hand ;-)
More information about the Python-list
mailing list