I want to insert beacon scan result in to a database using python and mysql
Chris Angelico
rosuav at gmail.com
Thu Nov 10 13:32:10 EST 2016
On Fri, Nov 11, 2016 at 2:36 AM, Michael Torrie <torriem at gmail.com> wrote:
> On 11/10/2016 06:15 AM, Dennis Lee Bieber wrote:
>> On Wed, 9 Nov 2016 21:05:50 -0800 (PST), sudeeratechneed at gmail.com
>> declaimed the following:
>>
>>>
>>> sql = "insert into beacon VALUES(null, '%s')" % \
>>> (beacon)
>>>
>> DON'T DO THAT...
>
> Wouldn't hurt to include a brief why on this, and the right way to do
> this. The why is, of course, that this operation is vulnerable to SQL
> injection. This should be avoided as a matter of practice, even if
> you're not taking input from anyone but yourself. The correct way to do
> this is to use a prepared statement. And of course the relevant xkcd
> is: https://xkcd.com/327/
The easiest way is to use a parameterized query:
cur.execute("insert into beacon VALUES(null, %s)", (beacon,))
I don't understand why so many people conflate parameterized with
prepared. "Prepared statements" have a two-step execution.
"Parameterized queries" needn't.
ChrisA
More information about the Python-list
mailing list