MySQL problem
Kent Johnson
kent37 at tds.net
Fri Mar 18 12:09:47 EST 2005
wes weston wrote:
> Dennis Lee Bieber wrote:
>> Try neither, the recommended method is to let the execute() do
>> the formatting... That way /it/ can apply the needed quoting of
>> arguments based upon the type of the data.
>>
>> cursor.execute("insert into produkt1 (MyNumber) values (%d)", (MyValue))
>>
>
> Dennis,
> Do you know if this has some efficiency advantage
> or is it just an agreed upon custom.
It may have efficiency advantages if the DB caches requests. But the main advantages are that
- it correctly escapes special chars such as "
- consequently it also protects against SQL injection attacks where MyValue might contain malicious SQL.
Kent
More information about the Python-list
mailing list