I wish that [].append(x) returned [x]
Jean-Paul Calderone
exarkun at divmod.com
Wed May 2 16:34:35 EDT 2007
On Wed, 02 May 2007 13:05:08 -0700, Tobiah <toby at tobiah.org> wrote:
>
>> In addition to the above good advice, in case you are submitting a query
>> to a DB-API compliant SQL database, you should use query parameters
>> instead of building the query with string substitution.
>
>I tried that a long time ago, but I guess I found it to be
>more awkward. I imagine that it is quite a bit faster that way?
>I'm using MySQLdb.
>
Given
name = raw_input("What is your name?")
cursor.execute("INSERT INTO users (name) VALUES ('%s')" % (name,))
if I enter my name to be "'; DELETE FROM users;", then you are
probably going to be slightly unhappy. However, if you insert
rows into your database like this:
cursor.execute("INSERT INTO users (name) VALUES (%s)", (name,))
then I will simply end up with a funny name in your database, instead
of being able to delete all of your data.
Jean-Paul
More information about the Python-list
mailing list