[Tutor] preventing SQL injection
Alan Gauld
alan.gauld at btinternet.com
Fri Jan 11 19:20:13 CET 2008
"johnf" <jfabiani at yolo.com> wrote
> and should be doing
> tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
> seq", ( 'public.arcust', 'pkid' ) )
>
> which prevented SQL injection.
The syntax of the execute statement varies by database
Which DB are you using. For example SQLite uses ?
instead of %s indicators.
Could that be the issue? Have you checked the DB-API
guide for your database?
HTH,
--
Alan Gauld
Author of the Learn to Program web site
http://www.freenetpages.co.uk/hp/alan.gauld
More information about the Tutor
mailing list