Transfer data from webpage form to database
Jerry Sievers
jerry at jerrysievers.com
Wed Nov 24 08:30:19 EST 2004
Mark Roach <mrroach at okmaybe.com> writes:
> On Wed, 2004-11-24 at 02:16 +0100, Pete..... wrote:
>
> That syntax doesn't look right. I think you were closer with your
> previous attempt. This is slightly more correct
>
> cur.execute('''INSERT INTO persons (name, surname, username, password)
> VALUES('%s','%s', '%s', '%s')''' % (form[name].value,
> form[surname].value, form[username].value, form[password].value))
>
> (Note the single quotes around the %s)
>
> The real problem with this code is that you are letting the user of your
> website inject whatever SQL they want directly into your command. I am
> not sure if this works for pypgsql, but with psycopg the safe way to do
> this is
If you are using pygresql the execute() method allows an optional dict
as arg2 and if provided, will be quoted according to data types and
the LHS string integrated with the dict as if by the % operator.
cur.execute('query')
cur.execute('query with hand quoted args %s' % (foo))
cur.execute('query with args quoted by API %(name1)s, %(name2)d',dict)
String types will get wrapped in single quotes and have embedded
single quotes escaped, the most common use but other types such as
datetime will get special treatment as well.
I agree with you. Any up to date API should have this capability
which can always be overridded in an extreme case.
Bye
--
-------------------------------------------------------------------------------
Jerry Sievers 305 854-3001 (home) WWW ECommerce Consultant
305 321-1144 (mobile http://www.JerrySievers.com/
More information about the Python-list
mailing list