[Tutor] Python CGI Script

Danny Yoo dyoo at hkn.eecs.berkeley.edu
Wed Sep 20 20:32:13 CEST 2006

Previous message: [Tutor] Python CGI Script
Next message: [Tutor] Paramstyle/sql injection [was Python CGI Script]
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>        query1 = """SELECT ABC FROM %s limit %s,%s"""\
>                      % (self.tableid,self.rangeid1,self.rangeid2)

Just as a note: please don't do this!  *grin*

Don't build query strings up like this: this is very prone to an SQL 
injection attack.  See:

     http://mail.python.org/pipermail/tutor/2003-April/022010.html

which talks about this a bit more.

Previous message: [Tutor] Python CGI Script
Next message: [Tutor] Paramstyle/sql injection [was Python CGI Script]
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tutor mailing list