[DB-SIG] mysql string length?
engelbert.gruber at ssg.co.at
engelbert.gruber at ssg.co.at
Tue Apr 18 20:09:56 CEST 2006
On Tue, 18 Apr 2006, Lukasz Szybalski wrote:
SNIP
> Ok guys, thanks for help. I finally search for how to scape strings and i used:
>
> "insert into table(id,body) values ('%d',"'''"%s"'''")"%(id,body)
>
> where "'''" on each side of s = double quote + 3x single quote+ double quote
as andy dustman said
Don't do that. It'll work right up until you have a string with quotes
or \x00 bytes in it. Then bad things will happen. How bad depends on
where body comes from (think SQL injection attacks).
> c.execute(INSERT INTO table_x (body) VALUES(%s)", (body))
Do that instead. Special characters will be escaped.
cheers
More information about the DB-SIG
mailing list