[Tutor] preventing SQL injection
johnf
jfabiani at yolo.com
Fri Jan 11 18:30:16 CET 2008
On Friday 11 January 2008 09:14:25 am Simone wrote:
> johnf ha scritto:
> > But the above does not work when I use variables instead of strings as in
> >
> > tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
> > seq", ( tableName, fieldName ) )
> >
> > So how am I suppose to prevent SQL injections?????
>
> Try tu use '?' instead of %s, like this:
>
> tempCursor.execute ( "Select pg_get_serial_sequence ( ?, ? ) as seq", (
> tableName, fieldName ) )
>
> For further information see PEP 249
> (http://www.python.org/dev/peps/pep-0249/)
>
> HTH!
>
> Simone
Thanks I think I see the issue. The Qmark etc.. was the clue.
--
John Fabiani
More information about the Tutor
mailing list