[Tutor] Tutor Digest, Vol 16, Issue 7
Greg Lindstrom
tubaranger at gmail.com
Fri Jun 3 01:35:34 CEST 2005
>
> >data = {}
> >data['start_date'] = '2005-6-2'
> >data['last_name'] = 'Johnson'
> >
> >query = '''
> > SELECT *
> > FROM my_table
> > WHERE date >= '%(start_date)s'
> > AND last_name = '%(last_name)s'
> >''' % data
> >results = my_database.Execute(query)
>
>
> First up. This is a "bad idea".
>
> It may be ok now, as long as you have absolute control
> over what start_date and last_name are, but what about
> next week when you decide ... "let's allow the user to put
> in the dates for start_date" and they make start_date
> "'6-2-05'; DELETE FROM my_table; SELECT * FROM my_table
> WHERE date='6-2-05' "
>
> Instead, use the arg quoting mechanism from the db
> interface you are using. You don't say which one that
> is, but it should look something like ...
>
> data = {}
> data['start_date'] = '2005-6-2'
> data['last_name'] = 'Johnson'
>
> query = '''
> SELECT *
> FROM my_table
> WHERE date >= '%(start_date)s'
> AND last_name = '%(last_name)s'
> '''
> results = my_database.execute(query, data)
Very nice. Thank-you.
--greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/tutor/attachments/20050602/16434029/attachment.htm
More information about the Tutor
mailing list