[Tutor] no luck with sqlinsert
Steve Willoughby
steve at alchemy.com
Fri Jan 14 18:16:34 CET 2011
On 14-Jan-11 09:03, Jason Staudenmayer wrote:
> Don't build you sql separate from the execute (or so I was told when I
> was doing something similar)
> cur.execute(INSERT INTO tkindbtal (kommune, komnr, i2005, i2006, i2007 \
> , i2008, i2009, i2010) VALUES (%s, %s, %s, %s, %s, %s,\
> %s, %s)% (cols[0], cols[1], int(cols[2]), int(cols[3]), int(cols[4]), \
> int(cols[5]), int(cols[6]), int(cols[7]))
It's generally bad practice to simply paste string values together to
include values into SQL, such as the code above (using % formatting).
You need to properly escape the data strings. Most SQL interfaces in
Python offer methods for this, either as individual string operation or
by allowing "place holder" values in the SQL query which discrete values
are then added to as separate arguments (so the SQL library escapes them
for you automatically).
The danger is if the data strings include SQL syntax like quotes or
whatever, it can invalidate your SQL query, making it fail. A malicious
user who can feed you those data values can deliberately design them to
actually do whatever they want to your database.
More information about the Tutor
mailing list