sql escaping module
David Bear
david.bear at asu.edu
Thu Dec 8 14:07:03 EST 2005
Fredrik Lundh wrote:
> David Bear wrote:
>
>> Being new to pgdb, I'm finding there are lot of things I don't understand
>> when I read the PEP and the sparse documentation on pgdb.
>>
>> I was hoping there would be a module that would properly escape longer
>> text strings to prevent sql injection -- and other things just make sure
>> the python string object ends up being a properly type for postgresql.
>> I've bought 3 books on postgresql and none of th code samples demonstrate
>> this.
>>
>> web searchs for 'python sql escape string' yeild way too many results.
>>
>> Any pointers would be greatly appreciated.
>
> for x in range(1000000):
> print "USE PARAMETERS TO PASS VALUES TO THE DATABASE"
>
> </F>
Yes. Fredrik and others. Thank you for the advice.
I know have the following code:
..
parmChar = '%s'
sqlInsert = """INSERT INTO %s (%s) VALUES (%s); """ % (tn, ",
".join(fieldnames), ", ".join([parmChar] * len(fieldnames)))
try:
cursor.execute(sqlInsert, datum)
except pgdb.DatabaseError:
logerror("Error on record insert \n %s \n %s" % (sqlInsert,
traceback.print_exc()))
I was not aware that the python db interface would just handle proper
escaping of python data types to proper postgresql data types.
Any other hints on database programming much appreciated.
--
David Bear
-- let me buy your intellectual property, I want to own your thoughts --
More information about the Python-list
mailing list