psycopg
J. Clifford Dyer
jcd at sdf.lonestar.org
Wed Dec 12 09:45:11 EST 2007
On Wed, Dec 12, 2007 at 09:08:44AM -0500, Calvin Spealman wrote regarding Re: psycopg:
>
> Don't do that, for a number of reasons. String concatenation is really
> never a good idea and formatting your own query strings is exactly what
> leads to things like sql injection. Let the db library handle it for
> you:
>
If you don't know what a SQL injection is, and you don't feel like googling for it, this should give you a good idea of why this matters:
http://xkcd.com/327/
> cur.execute('insert into seq(id,sequence) values(3, %s)', (content,))
>
> Notice that, although we're using the %s placeholder, we are _not_
> using the % operator to format the string. This is because the db
> module will do any proper preparation of the value for you before
> inserting into the string.
>
> On Dec 12, 2007, at 8:31 AM, sujitha mary wrote:
>
> hi all,
> while executing this cur.execute('insert into seq(id,sequence)
> values(3,'+content+')')
> i'm getting an error psycopg2.ProgrammingError : syntax error at or
> near "prophage"
> LINE 1: insert into seq(id,sequence) values(3,Tum2 prophage
> complete...
>
> --
>
> [1]http://mail.python.org/mailman/listinfo/python-list
>
> References
>
> 1. http://mail.python.org/mailman/listinfo/python-list
> --
> http://mail.python.org/mailman/listinfo/python-list
More information about the Python-list
mailing list