<div>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">>data = {}<br>>data['start_date'] = '2005-6-2'<br>>data['last_name'] = 'Johnson'<br>><br>>query = '''
<br>> SELECT *<br>> FROM my_table<br>> WHERE date >= '%(start_date)s'<br>> AND last_name = '%(last_name)s'<br>>''' % data<br>>results = my_database.Execute(query)<br><br><br>First up. This is a "bad idea".
<br><br>It may be ok now, as long as you have absolute control<br>over what start_date and last_name are, but what about<br>next week when you decide ... "let's allow the user to put<br>in the dates for start_date" and they make start_date
<br>"'6-2-05'; DELETE FROM my_table; SELECT * FROM my_table<br>WHERE date='6-2-05' "<br><br>Instead, use the arg quoting mechanism from the db<br>interface you are using. You don't say which one that<br>is, but it should look something like ...
<br><br>data = {}<br>data['start_date'] = '2005-6-2'<br>data['last_name'] = 'Johnson'<br><br>query = '''<br> SELECT *<br> FROM my_table<br> WHERE date >= '%(start_date)s'<br> AND last_name = '%(last_name)s'
<br>'''<br>results = my_database.execute(query, data)</blockquote>
<div> </div>
<div>Very nice. Thank-you.</div>
<div>--greg</div><br> </div>