MySQLdb, escaping values
Gerhard Häring
gh at ghaering.de
Wed May 7 08:32:13 EDT 2003
John Hunter wrote:
>>>>>>"Skip" == Skip Montanaro <skip at pobox.com> writes:
> Skip> db = MySQLdb.Connection(...) n = raw_input("Enter a
> Skip> name: ").strip() curs = db.cursor() print
> Skip> curs.execute("select * from people where name = %s", (n,))
>
> Skip> Note that the second arg must be a tuple, even if you are
> Skip> only passing a single parameter.
>
> I have noticed a bug before where integers were not properly escaped in
> my version of mysqldb (or else I'm missing something obvious). For
> example, both
>
> c.execute('select * from image where pid=%d', (1234,))
> c.execute('select * from image where pid=%d', 1234)
>
> generate the exception [...]
> TypeError: an integer is required
Yeah. When using DB-API modules with paramstyle in ('format',
'pyformat'), always use %s, no matter what the type of the parameter is:
c.execute('select * from image where pid=%s', (1234,))
-- Gerhard
More information about the Python-list
mailing list