help with creating a mysql query string
Tristan Seligmann
mithrandi-mplayer-dev-eng at mithrandi.za.net
Sun Jun 27 12:11:28 EDT 2004
On Sun, Jun 27, 2004 at 07:58:09 -0400, Sean Ross wrote:
>
> "RiGGa" <rigga at hasnomail.com> wrote in message
> news:3SvDc.22042$NK4.3722156 at stones.force9.net...
> [snip]
> >
> > sqlquery = "INSERT INTO %s", tablename + " values(%s,%s,%s)", datavalue"
> >
> [snip]
>
> sqlquery = "INSERT INTO " + tablename + " values(%s,%s,%s)"%datavalue
Rather do something like:
sqlquery = "INSERT INTO %s values(%%s,%%s,%%s)" % tablename
cursor.execute(sqlquery, datavalue)
The other way allows datavalue to contain arbitrary SQL that will be
executed, which can be a nasty security hole depending on where the
value comes from.
--
mithrandi, i Ainil en-Balandor, a faer Ambar
More information about the Python-list
mailing list