storing binary files to mySQL ???
Gerhard Häring
gerhard.haering at gmx.de
Wed Dec 18 07:52:40 EST 2002
steindl fritz <python at floSoft.org> wrote:
> Gerhard Häring wrote:
>> * Fredrik Lundh <fredrik at pythonware.com> [2002-12-16 19:58 +0000]:
>>> "steindl fritz" <python at floSoft.org> wrote:
>>> > [...]
>>> > SQL ='INSERT INTO tbl_BLOB (attrName, attrValue) VALUES
>>> > ("nameOfPicture", ' + picture + ')'
>>> > [...]
>
>> DONT'T. EVER. DO. THAT. (constructing INSERT/UPDATE/DELETE statements
>> manually). It's a bad habit that will bite you once. In your case, it
>> did already. I've seen security flaws introduced this way and data
>> accidentally deleted. If you don't see how this can happen, I'm happy to
>> show you a few examples.
>
>
> what do you mean by 'not construction SQL manually'
What you did above in the "SQL =" line. You're inserting the values manually
there instead of letting the DB-API module handle the quoting of the various
types (int, string, ...) for you. The DB-API way is to use format parameters
and a tuple with the values to be inserted as an additional parameter for
.execute.
> somehow i have to make my queries manually (programmatically)
>
> i used CompatMysqldb until now - worked fine
> the only thing not to solve was inserting binary files
>
> because CompatMysqldb itself is importing _mysql i think it would make sense
> to implement one more 'format parameter' to take over binary files and do
> that _mysql.escape_string() there (inside CompatMysqldb)
No, it would not make sense. As I showed you, inserting BLOB data with the %s
format works fine, at least on Unix. If this really does not work for you with
the MySQLdb module on Windows, but does on Unix, please send me an email. (I'm
the guy who builds the MySQLdb win32 binaries).
Note that I'm not interested in reports about compatibility modules for long
gone other MySQL/Python implementations. Read: that Compat... module.
-- Gerhard
More information about the Python-list
mailing list