[DB-SIG] mysql string length?

engelbert.gruber at ssg.co.at engelbert.gruber at ssg.co.at
Tue Apr 18 20:09:56 CEST 2006


On Tue, 18 Apr 2006, Lukasz Szybalski wrote:

SNIP

> Ok guys, thanks for help. I finally search for how to scape strings and i used:
>
> "insert into table(id,body) values ('%d',"'''"%s"'''")"%(id,body)
>
> where "'''" on each side of s  = double quote + 3x single quote+ double quote

as andy dustman said

   Don't do that. It'll work right up until you have a string with quotes
   or \x00 bytes in it. Then bad things will happen. How bad depends on
   where body comes from (think SQL injection attacks).

   >    c.execute(INSERT INTO table_x (body) VALUES(%s)", (body))

   Do that instead. Special characters will be escaped.

cheers


More information about the DB-SIG mailing list