'Lite' Databases (Re: sqlite3 and dates)
Mark Lawrence
breamoreboy at yahoo.co.uk
Thu Feb 19 00:32:31 EST 2015
On 19/02/2015 00:08, Mario Figueiredo wrote:
>
> Parameterized queries is just a pet peeve of mine that I wish to
> include here. SQLite misses it and I miss the fact SQLite misses it.
> The less SQL one needs to write in their code, the happier one should
> be.
>
https://docs.python.org/3/library/sqlite3.html#module-sqlite3 paragraphs
seven and eight.
"Usually your SQL operations will need to use values from Python
variables. You shouldn’t assemble your query using Python’s string
operations because doing so is insecure; it makes your program
vulnerable to an SQL injection attack (see http://xkcd.com/327/ for
humorous example of what can go wrong).
Instead, use the DB-API’s parameter substitution. Put ? as a placeholder
wherever you want to use a value, and then provide a tuple of values as
the second argument to the cursor’s execute() method. (Other database
modules may use a different placeholder, such as %s or :1.) For example:..."
--
My fellow Pythonistas, ask not what our language can do for you, ask
what you can do for our language.
Mark Lawrence
More information about the Python-list
mailing list