help with creating a mysql query string

Tristan Seligmann mithrandi at mithrandi.za.net
Sun Jun 27 15:34:00 CEST 2004


On Sun, Jun 27, 2004 at 07:58:09 -0400, Sean Ross wrote:
> 
> "RiGGa" <rigga at hasnomail.com> wrote in message
> news:3SvDc.22042$NK4.3722156 at stones.force9.net...
> [snip]
> >
> > sqlquery = "INSERT INTO %s", tablename + " values(%s,%s,%s)", datavalue"
> >
> [snip]
> 
> sqlquery = "INSERT INTO " + tablename + " values(%s,%s,%s)"%datavalue

Rather do something like:

sqlquery = "INSERT INTO %s values(%%s,%%s,%%s)" % tablename
cursor.execute(sqlquery, datavalue)

The other way allows datavalue to contain arbitrary SQL that will be
executed, which can be a nasty security hole depending on where the
value comes from.
-- 
mithrandi, i Ainil en-Balandor, a faer Ambar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mail.python.org/pipermail/python-list/attachments/20040627/7d276054/attachment.pgp>


More information about the Python-list mailing list