[DB-SIG] Including variables in SQL queries

Turcotte, Paul paulturcotte@bbg.org
Mon, 18 Mar 2002 10:05:12 -0500

Something like this may work for you:

query = "select password from table where userid like '" + formid + "'"

No doubt there are many other ways to do the same, likely many of them more
elegant than my newbie code, but it works for me.  Also, you can tweak it
depending on what type formid is.

Hope it helps,
Paul Turcotte
Director of Computer Technology
Brooklyn Botanic Garden
718.623.7232  |  fax 622.7839

-----Original Message-----
From: Hugh [mailto:h.e.w.frater@cs.cf.ac.uk] 
Sent: Saturday, March 17, 2001 4:43 PM
To: db-sig@python.org
Subject: [DB-SIG] Including variables in SQL queries

Hi All,
	I got DCOracle2 installed and working a while back and am
progressing with the project OK. What I want to know, is how to include
variables in an SQL query. This is so I can select an encryted password from
a table given the userID which is parsed using the cgi.py module into a
variable in my python script. The code I've got is as follows: Note I have
yet to try this because the tables are not yet finalised.

formid = form.getvalue('id')
c.execute("select password from tblborrower where userid = formid")

I have a suspision that this won't work because it will try and use "formid"
as the value for userid instead of the value of the string formid.

I know there are probably better ways to make a secure login, but it's only
a first year project, and it doesn't matter that much. Thanks in advance for
any help. Hugh Frater

DB-SIG maillist  -  DB-SIG@python.org