Transfer data from webpage form to database
Mark Roach
mrroach at okmaybe.com
Tue Nov 23 22:57:14 EST 2004
On Wed, 2004-11-24 at 02:16 +0100, Pete..... wrote:
> Hi I got that error debugged but, now there is a new one:
> 12 cur.execute('''INSERT INTO persons (persons.name,
> persons.surname, persons.username, persons.password) VALUES %s,%s, %s, %s
> ''' %(form['name'].value, form['surname'].value, form['username'].value,
> form['password'].value))
That syntax doesn't look right. I think you were closer with your
previous attempt. This is slightly more correct
cur.execute('''INSERT INTO persons (name, surname, username, password)
VALUES('%s','%s', '%s', '%s')''' % (form[name].value,
form[surname].value, form[username].value, form[password].value))
(Note the single quotes around the %s)
The real problem with this code is that you are letting the user of your
website inject whatever SQL they want directly into your command. I am
not sure if this works for pypgsql, but with psycopg the safe way to do
this is
insert_command = '''
INSERT INTO persons (name, surname, username, password)
VALUES(%s, %s, %s, %s)
'''
cur.execute(insert_command,
(form[name].value, form[surname].value, \
form[username].value, form[password].value))
I believe this works with other DB API 2.0 compatible modules. This lets
the database module worry about whether "jim's house" needs to be turned
into "jim\\'s house" or "'jim\\'s house'"
HTH
-Mark
More information about the Python-list
mailing list