[Tutor] Python CGI Script
Python
python at venix.com
Thu Sep 21 00:27:46 CEST 2006
On Wed, 2006-09-20 at 15:46 -0600, Mike Hansen wrote:
>
> > -----Original Message-----
> > Subject: Re: [Tutor] Python CGI Script
> >
> > > query1 = """SELECT ABC FROM %s limit %s,%s"""\
> > > % (self.tableid,self.rangeid1,self.rangeid2)
> >
> > Just as a note: please don't do this! *grin*
> >
> > Don't build query strings up like this: this is very prone to an SQL
> > injection attack. See:
> >
> > http://mail.python.org/pipermail/tutor/2003-April/022010.html
> >
> > which talks about this a bit more.
> > _______________________________________________
> >
>
> I just wanted to verify what I believe to be correct way of doing this.
>
> sql_statement = "INSERT INTO images (image) VALUES (%s)"
> cur.execute(sql_statement, (data_obj, ))
>
> Is it just moving the variable substitution to the execute statement as
> a tuple, so it will perform the proper quoting?
Yes, this looks good. (Looks like MySQL paramstyle.)
>
> Thanks,
>
> Mike
> _______________________________________________
> Tutor maillist - Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor
--
Lloyd Kvam
Venix Corp
More information about the Tutor
mailing list