storing binary files to mySQL ???
steindl fritz
python at floSoft.org
Wed Dec 18 04:01:26 EST 2002
Gerhard Häring wrote:
> * Fredrik Lundh <fredrik at pythonware.com> [2002-12-16 19:58 +0000]:
>> "steindl fritz" <python at floSoft.org> wrote:
>>
>> > i try to store pictures in a blob field of mySQL
>> >
>> >
>> > file = open("c:\\picture.jpg", 'rb')
>> > picture = file.read()
>> >
>> > SQL ='INSERT INTO tbl_BLOB (attrName, attrValue) VALUES
>> > ("nameOfPicture", ' + picture + ')'
>> >
>> > conn = CompatMysqldb.Connection("host", "username", "password",
>> > "db") curs = conn.cursor()
>> > curs.execute(SQL)
>
> DONT'T. EVER. DO. THAT. (constructing INSERT/UPDATE/DELETE statements
> manually). It's a bad habit that will bite you once. In your case, it
> did already. I've seen security flaws introduced this way and data
> accidentally deleted. If you don't see how this can happen, I'm happy to
> show you a few examples.
what do you mean by 'not construction SQL manually'
somehow i have to make my queries manually (programmatically)
i used CompatMysqldb until now - worked fine
the only thing not to solve was inserting binary files
because CompatMysqldb itself is importing _mysql i think it would make
sense to implement one more 'format parameter' to take over binary files
and do that _mysql.escape_string() there (inside CompatMysqldb)
==============================
extract from CompatMysqldb.py
==============================
if isDML(op):
self.__dict__['description'] = None
af = 0
try:
for x in params:
self.__res = \
self.__conn.query(op % x)
af =af+self.__res.affectedrows()
self.insert_id = self.__res.insert_id()
except MySQL.Error, msg:
raise error, msg
return af
==============================
i think something (quick and dirty) like this ...
if op == "%binary"
x = _mysql.escape_string(x)
op = "%s"
... should help
--------------------------------------------
maybe i'll try that
fritz
(-:fs)
More information about the Python-list
mailing list