Transfer data from webpage form to database

Jerry Sievers jerry at
Wed Nov 24 14:30:19 CET 2004

Mark Roach <mrroach at> writes:

> On Wed, 2004-11-24 at 02:16 +0100, Pete..... wrote:
> That syntax doesn't look right. I think you were closer with your
> previous attempt. This is slightly more correct
> cur.execute('''INSERT INTO persons (name, surname, username, password) 
>     VALUES('%s','%s', '%s', '%s')''' % (form[name].value, 
>     form[surname].value, form[username].value, form[password].value))
> (Note the single quotes around the %s)
> The real problem with this code is that you are letting the user of your
> website inject whatever SQL they want directly into your command. I am
> not sure if this works for pypgsql, but with psycopg the safe way to do
> this is

If you are using pygresql the execute() method allows an optional dict
as arg2 and if provided, will be quoted according to data types and
the LHS string integrated with the dict as if by the % operator.

cur.execute('query with hand quoted args %s' % (foo))
cur.execute('query with args quoted by API %(name1)s, %(name2)d',dict)

String types will get wrapped in single quotes and have embedded
single quotes escaped, the most common use but other types such as
datetime will get special treatment as well.

I agree with you.  Any up to date API should have this capability
which can always be overridded in an extreme case.


Jerry Sievers   305 854-3001 (home)     WWW ECommerce Consultant
                305 321-1144 (mobile

More information about the Python-list mailing list