[Tutor] ODBC SQL Server Question
Jeff Johnson
jeff at dcsoftware.com
Fri Sep 18 20:14:45 CEST 2009
Kent:
How about this:
self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME = '%s'" %
(name, ))
Question, does execute know to substitute the question mark with name?
self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name, ))
TIA
Kent Johnson wrote:
> On Fri, Sep 18, 2009 at 11:49 AM, Jeff Johnson <jeff at dcsoftware.com> wrote:
>> Kristina:
>>
>> I would format it as follows:
>>
>> self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME = '%s'" % name)
>
> No, that is a recipe for SQL injection attacks such as this:
> http://xkcd.com/327/
>
>>> self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name))
>
> I think that should have a comma to create a tuple:
> self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name,))
>
> I don't know if that could cause your problem.
> Kent
--
Jeff
Jeff Johnson
jeff at dcsoftware.com
Phoenix Python User Group - sunpiggies at googlegroups.com
More information about the Tutor
mailing list