Another MySQL Problem
John Nagle
nagle at animats.com
Fri Dec 18 13:17:25 EST 2009
MRAB wrote:
> Victor Subervi wrote:
>> Hi;
>>
>> mysql> truncate tem126072414516;
>> Query OK, 0 rows affected (0.00 sec)
>>
>> Then I run a script:
>>
>> if whatDo == 'insert':
>> try:
>> sql = 'insert into %s (ProdID, Quantity) values ("%s", "%s");' %
>> (tmpTable, prodid, quantity)
>> print sql
>> cursor.execute(sql)
Don't put values into an SQL statement using the "%" operator. It doesn't
do SQL escapes and allows SQL injection attacks.
Try something more like this (assuming that tmpTable does NOT come
from external input, which would be very risky).
cursor = db.cursor() ## create cursor
sql = 'insert into ' + tmpTable + ' (ProdID, Quantity) values (%s,%s);'
values = (prodid, quantity) ## values to insert
print sql
cursor.execute(sql, values) ## let SQL do the substitution
db.commit() ## commit transaction
> 1. The table names look different.
> 2. Did you commit the changes?
That, too.
John Nagle
More information about the Python-list
mailing list