Hi,<br>Thanks you guys for the replies and thanks Kent for the explanation, and yes, this:<br>
self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name, ))<br>using the comma did make it work.<br><br><br><br><div class="gmail_quote">On Fri, Sep 18, 2009 at 3:40 PM, Jeff Johnson <span dir="ltr"><<a href="mailto:jeff@dcsoftware.com">jeff@dcsoftware.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Thanks for the clarification Kent!<div><div></div><div class="h5"><br>
<br>
Kent Johnson wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Fri, Sep 18, 2009 at 2:14 PM, Jeff Johnson <<a href="mailto:jeff@dcsoftware.com" target="_blank">jeff@dcsoftware.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Kent:<br>
<br>
How about this:<br>
self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME = '%s'" % (name,<br>
))<br>
</blockquote>
<br>
No, that has the same result as your original. For example,<br>
In [3]: name = "Kent'; drop table Stories;--"<br>
<br>
In [4]: "SELECT CUSTID FROM Stories WHERE NAME = '%s'" % (name, )<br>
Out[4]: "SELECT CUSTID FROM Stories WHERE NAME = 'Kent'; drop table Stories;--'"<br>
<br>
Oops.<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Question, does execute know to substitute the question mark with name?<br>
self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name, ))<br>
</blockquote>
<br>
Yes, and it will correctly quote name according to the conventions of<br>
the database in use. (Note that not all DB-API implementations use ?<br>
as the placeholder; check the docs for the db you are using.)<br>
<br>
Kent<br>
</blockquote>
<br></div></div>
-- <br><font color="#888888">
Jeff</font><div class="im"><br>
<br>
Jeff Johnson<br>
<a href="mailto:jeff@dcsoftware.com" target="_blank">jeff@dcsoftware.com</a><br></div><div><div></div><div class="h5">
Phoenix Python User Group - <a href="mailto:sunpiggies@googlegroups.com" target="_blank">sunpiggies@googlegroups.com</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Cheers,<br>Krissy <br>-----------------------------------------------------------------------<br>Testing the waters is always fun...<br>