PySQLite Problem
alc at PublicPropertySoftware.com
alc at PublicPropertySoftware.com
Fri May 9 22:05:17 EDT 2003
I'm doing some work with PySQLite, and pretty good results
for quite some time, no problems at all. Then, today I
hit this one. The code reads roughly:
SQL = """update nodes
set nodesequence = %s,
nodename = '%s',
modifieddatetime = '%s',
modifiedby = '%s'
where node == %s"""
try:
cursor.execute( SQL % (
nodeSequence,
newTitle,
newTime,
aName,
aNode ) )
The nodesequence and node fields are integer, and the
others are strings. Problem happens when newTitle
contains unpaired tick marks, as in e.g. O'Reilly. This
throws an exception in PySQLite with a format error for
the SQL.
I believe that real SQL wants the ticks around the literals,
otherwise there is not any way for the SQL interpreter to
tell what's data and what's not. But taking the tick marks
away and using just %s fixes the O'Reilly example for PySQLite.
How this works, IDK, but it does. But other combinations of
single and double quotes in the data still crash PySQLite.
Of course, I have no way to know what a valued customer or
client might type into one of my data entry fields, so I
want to make something more than partly bulletproof.
Is there any better solution than to use the tick marks and
wrap all my calls to PySQLite to double the ticks on the way
in and undouble them on the way out?
TIA for not laughing.
Al
More information about the Python-list
mailing list