psycopg
Calvin Spealman
ironfroggy at socialserve.com
Wed Dec 12 09:08:44 EST 2007
Don't do that, for a number of reasons. String concatenation is
really never a good idea and formatting your own query strings is
exactly what leads to things like sql injection. Let the db library
handle it for you:
cur.execute('insert into seq(id,sequence) values(3, %s)', (content,))
Notice that, although we're using the %s placeholder, we are _not_
using the % operator to format the string. This is because the db
module will do any proper preparation of the value for you before
inserting into the string.
On Dec 12, 2007, at 8:31 AM, sujitha mary wrote:
> hi all,
> while executing this cur.execute('insert into seq(id,sequence)
> values(3,'+content+')')
> i'm getting an error psycopg2.ProgrammingError : syntax error at
> or near "prophage"
> LINE 1: insert into seq(id,sequence) values(3,Tum2 prophage
> complete...
>
> --
> http://mail.python.org/mailman/listinfo/python-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20071212/15024942/attachment.html>
More information about the Python-list
mailing list