[DB-SIG] Re: PyFormat and execute

Holger Duerer H.Duerer at gmx.net
Wed Feb 11 15:35:02 EST 2004


>>>>> "Andy" == Andy Todd <andy47 at halfcooked.com> writes:
 [...]

    Andy> Yes, and yes to your last two questions. It is in the DB-API
    Andy> specification, its just not incredibly obvious to the
    Andy> newcomer.

    Andy> To that end I created a page on the Python Wiki and made
    Andy> this FAQ number 1;

    Andy> http://www.python.org/cgi-bin/moinmoin/DbApiFaq

    Andy> If anyone wants to improve my wording feel free.

Yes, it is shocking that this feature is not more widely known.  Most
examples of DB access code that I have seen use the literal approach
of adding the value in the SQL statement itself -- this is of course a
SQL injection attack waiting to happen for all those people who just
copy such code...

All example programs should only show the execute method with
arguments provided separately.
        Holger





More information about the DB-SIG mailing list