modifying html input date for mysql, reg ex or string interpolation?
John J. Lee
jjl at pobox.com
Tue Apr 11 19:10:37 EDT 2006
Kun <neurogasm at gmail.com> writes:
[...]
> mysqlstatement = "INSERT INTO dir (date, purchasetype, price, comment)
> VALUES ('"+ date +"','"+ purchasetype +"','"+ price +"','"+ comment +"' )"
[...]
Haven't read your post carefully, but the first thing that jumps out
at me is that you should be using SQL parameter interpolation, not
Python string formatting.
sql = ("INSERT INTO dir (date, purchasetype, price, comment) "
"VALUES (%s, %s, %s, %s)")
cursor.execute(sql, (date, purchasetype, price, comment))
Google for "SQL injection" to see why this is a nasty security issue,
not just a matter of practical coding convenience.
John
More information about the Python-list
mailing list