[Tutor] ODBC SQL Server Question
Kristina Ambert
krissy.ambert at gmail.com
Wed Sep 23 22:38:07 CEST 2009
Hi,
Thanks you guys for the replies and thanks Kent for the explanation, and
yes, this:
self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name, ))
using the comma did make it work.
On Fri, Sep 18, 2009 at 3:40 PM, Jeff Johnson <jeff at dcsoftware.com> wrote:
> Thanks for the clarification Kent!
>
>
> Kent Johnson wrote:
>
>> On Fri, Sep 18, 2009 at 2:14 PM, Jeff Johnson <jeff at dcsoftware.com>
>> wrote:
>>
>>> Kent:
>>>
>>> How about this:
>>> self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME = '%s'" %
>>> (name,
>>> ))
>>>
>>
>> No, that has the same result as your original. For example,
>> In [3]: name = "Kent'; drop table Stories;--"
>>
>> In [4]: "SELECT CUSTID FROM Stories WHERE NAME = '%s'" % (name, )
>> Out[4]: "SELECT CUSTID FROM Stories WHERE NAME = 'Kent'; drop table
>> Stories;--'"
>>
>> Oops.
>>
>> Question, does execute know to substitute the question mark with name?
>>> self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name, ))
>>>
>>
>> Yes, and it will correctly quote name according to the conventions of
>> the database in use. (Note that not all DB-API implementations use ?
>> as the placeholder; check the docs for the db you are using.)
>>
>> Kent
>>
>
> --
> Jeff
>
> Jeff Johnson
> jeff at dcsoftware.com
> Phoenix Python User Group - sunpiggies at googlegroups.com
>
--
Cheers,
Krissy
-----------------------------------------------------------------------
Testing the waters is always fun...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/tutor/attachments/20090923/727cdfd2/attachment.htm>
More information about the Tutor
mailing list