Just To Be Sure...MySQL
Christian Heimes
lists at cheimes.de
Sat May 22 12:18:36 EDT 2010
Am 22.05.2010 18:09, schrieb Adam Tauno Williams:
> On Sat, 2010-05-22 at 18:06 +0200, Christian Heimes wrote:
>>> A lister recently responded to my post concerning mysl commands of the
>>> following type:
>>>
>>> cursor.execute('insert into foo values (%s, %s)' % (bar, something))
>>>
>>> stating that I need to eliminate the "%" to prevent injection attacks, thus:
>>>
>>> cursor.execute('insert into foo values (%s, %s)', (bar, something))
>>>
>>> My question is simply this: Is that advice good for *all* mysql commands? Or
>>> are there some where the "%" is necessary and a comma would fail? I need to
>>> update lots of mysql commands. If I can do it without harmful consequences,
>>> I'll do it across the board. Otherwise, I'll have to test each one.
>>> TIA,
>>> beno
>>
>> You *MUST NOT* use string formatting for SQL commands unless you
>
> +1
>
> And they are hideous code.
>
> Use an ORM:<http://freshmeat.net/projects/sqlalchemy>
How about using a proper RDBMS that supports SQL standards, triggers,
foreign keys and functions first? :)
More information about the Python-list
mailing list