Updating SQL table problems with python
Paul Boddie
paul at boddie.net
Fri Jun 6 10:36:56 EDT 2003
kuntzagk at sulawesi.bioinf.mdc-berlin.de wrote in message news:<bbn8ik$bdu9q$1 at fu-berlin.de>...
>
[Some SQL with '%s' in the middle of it, used in conjunction with
string substitution.]
> Did you get a python syntax error or a SQL syntax error?
> If the latter, check if your title contains a quote charakter.
> Got bitten by this myself.
Please:
* Do as Andy Todd suggested and use statement parameters.
* Do not mess around with quoting your values and dropping them
directly into SQL statements.
Otherwise:
* Your application may fail when it gets characters you didn't
think about and which your database system's SQL parser reacts
badly to.
* You may be exposing security-related defects because of quoting
issues you hadn't considered.
I recommend taking a couple of minutes looking at the DB-API and
reading about "paramstyle" and cursor objects. This will save you a
lot of time and needlessly wasted effort later on.
http://www.python.org/peps/pep-0249.html
Paul
More information about the Python-list
mailing list