Just To Be Sure...MySQL
Victor Subervi
victorsubervi at gmail.com
Sat May 22 10:25:56 EDT 2010
Hi;
A lister recently responded to my post concerning mysl commands of the
following type:
cursor.execute('insert into foo values (%s, %s)' % (bar, something))
stating that I need to eliminate the "%" to prevent injection attacks, thus:
cursor.execute('insert into foo values (%s, %s)', (bar, something))
My question is simply this: Is that advice good for *all* mysql commands? Or
are there some where the "%" is necessary and a comma would fail? I need to
update lots of mysql commands. If I can do it without harmful consequences,
I'll do it across the board. Otherwise, I'll have to test each one.
TIA,
beno
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20100522/26654ca6/attachment.html>
More information about the Python-list
mailing list