help with creating a mysql query string
Tristan Seligmann
mithrandi at mithrandi.za.net
Sun Jun 27 09:34:00 EDT 2004
On Sun, Jun 27, 2004 at 07:58:09 -0400, Sean Ross wrote:
>
> "RiGGa" <rigga at hasnomail.com> wrote in message
> news:3SvDc.22042$NK4.3722156 at stones.force9.net...
> [snip]
> >
> > sqlquery = "INSERT INTO %s", tablename + " values(%s,%s,%s)", datavalue"
> >
> [snip]
>
> sqlquery = "INSERT INTO " + tablename + " values(%s,%s,%s)"%datavalue
Rather do something like:
sqlquery = "INSERT INTO %s values(%%s,%%s,%%s)" % tablename
cursor.execute(sqlquery, datavalue)
The other way allows datavalue to contain arbitrary SQL that will be
executed, which can be a nasty security hole depending on where the
value comes from.
--
mithrandi, i Ainil en-Balandor, a faer Ambar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mail.python.org/pipermail/python-list/attachments/20040627/7d276054/attachment.sig>
More information about the Python-list
mailing list