Another MySQL Images Question
J. Cliff Dyer
jcd at unc.edu
Fri Apr 18 11:48:38 EDT 2008
There are several problems with your SQL, but not all of them would be
caught by the computer. Your SELECT statement is not parameterized.
This is a security problem. *Always* parameterize your variables. Your
UPDATE statement has an extraneous comma at the end, and it also has
quotes around the "%s"es that you don't need, because you already
parameterized that query. Your dbapi interface will provide appropriate
quoting for whatever type of data you pass it.
Cheers,
Cliff
On Fri, 2008-04-18 at 10:13 -0500, Victor Subervi wrote:
> Hi;
> If I grab an image in the database thus:
>
> sql = "select pic1 from products where id='" + str(id) + "';"
> cursor.execute(sql)
> pic1 = cursor.fetchall()[0][0].tostring()
> # pic1 = cursor.fetchall()[0][0] // either this or the above
> line
>
> and try and re-insert it thus:
>
> cursor.execute('update products set pic1="%s" where id="%s", ;',
> (pic1, id))
>
> it tells me I have an error in my MySQL syntax. What is the error?
> TIA,
> Victor
--
Oook,
J. Cliff Dyer
Carolina Digital Library and Archives
UNC Chapel Hill
More information about the Python-list
mailing list