[DB-SIG] SQL string escape function
Federico Di Gregorio
fog@mixadlive.com
25 Jul 2001 09:30:11 +0200
On 24 Jul 2001 17:52:29 -0700, moored@reed.edu wrote:
> On Tue, 24 Jul 2001, Paul DuBois wrote:
> >
> > You need to do it if you want to produce SQL statements for *another*
> > program to execute.
> >
>
> I'm not familar with 'bound variables,' but I did search for it.
> My main wonder is if the two following statements equivalent:
>
> sqlstring = "SELECT * FROM table WHERE table.string=\'%s\'"
> sqlstring = sqlstring % (nastystring)
> cursor.execute(sql)
>
> versus:
>
> cursor.execute("SELECT * FROM table WHERE table.string=\'%s\'" %
> (naststring))
you don't have to put the ' around %s, the module will do it for you. as
somebody other noted in a past thread, letting the module quote the
string will improve the security agains nasty-strings attacks, see the
ml archives for full explanation and example.
oh, also, you' don't have to escape ' inside a " in python.
ciao,
federico
--
Federico Di Gregorio
MIXAD LIVE Chief of Research & Technology fog@mixadlive.com
Debian GNU/Linux Developer & Italian Press Contact fog@debian.org
Abandon the search for Truth; settle for a good fantasy. -- Anonymous