[DB-SIG] Re: PyFormat and execute
Holger Duerer
H.Duerer at gmx.net
Wed Feb 11 15:35:02 EST 2004
>>>>> "Andy" == Andy Todd <andy47 at halfcooked.com> writes:
[...]
Andy> Yes, and yes to your last two questions. It is in the DB-API
Andy> specification, its just not incredibly obvious to the
Andy> newcomer.
Andy> To that end I created a page on the Python Wiki and made
Andy> this FAQ number 1;
Andy> http://www.python.org/cgi-bin/moinmoin/DbApiFaq
Andy> If anyone wants to improve my wording feel free.
Yes, it is shocking that this feature is not more widely known. Most
examples of DB access code that I have seen use the literal approach
of adding the value in the SQL statement itself -- this is of course a
SQL injection attack waiting to happen for all those people who just
copy such code...
All example programs should only show the execute method with
arguments provided separately.
Holger
More information about the DB-SIG
mailing list