Why Doesn't This MySQL Statement Execute?
Hans Mulder
hansmu at xs4all.nl
Tue Dec 18 17:57:10 EST 2012
On 18/12/12 22:34:08, Tom Borkin wrote:
> Hi;
> I have this test code:
>
> if i_id == "1186":
> sql = 'insert into interactions values(Null, %s, "Call Back",
> "%s")' % (i_id, date_plus_2)
> cursor.execute(sql)
> db.commit()
> print sql
> It prints the sql statement, but it doesn't execute. If I copy and paste
> the sql into the mysql command line it does execute without warnings or
> errors. What gives?
What happens if you do:
if i_id == "1186":
sql = 'insert into interactions values(Null, %s, "Call Back", %s)'
cursor.execute(sql, (i_id, date_plus_2))
db.commit()
print sql
Note the absence of quotes around the second %s in the sql command.
This should work correctly even if date_plus_2 happens to contain
Robert"); DROP TABLE interactions; --
For background information, see http://bobby-tables.com/python.html
Hope this helps,
-- HansM
More information about the Python-list
mailing list