Transfer data from webpage form to database

Mark Roach mrroach at okmaybe.com
Wed Nov 24 04:57:14 CET 2004


On Wed, 2004-11-24 at 02:16 +0100, Pete..... wrote:
> Hi I got that error debugged but, now there is a new one:
>          12 cur.execute('''INSERT INTO persons (persons.name, 
> persons.surname, persons.username, persons.password) VALUES %s,%s, %s, %s 
> ''' %(form['name'].value, form['surname'].value, form['username'].value, 
> form['password'].value))

That syntax doesn't look right. I think you were closer with your
previous attempt. This is slightly more correct

cur.execute('''INSERT INTO persons (name, surname, username, password) 
    VALUES('%s','%s', '%s', '%s')''' % (form[name].value, 
    form[surname].value, form[username].value, form[password].value))

(Note the single quotes around the %s)

The real problem with this code is that you are letting the user of your
website inject whatever SQL they want directly into your command. I am
not sure if this works for pypgsql, but with psycopg the safe way to do
this is

insert_command = '''
    INSERT INTO persons (name, surname, username, password) 
    VALUES(%s, %s, %s, %s)
'''
cur.execute(insert_command, 
	(form[name].value, form[surname].value, \
	form[username].value, form[password].value))

I believe this works with other DB API 2.0 compatible modules. This lets
the database module worry about whether "jim's house" needs to be turned
into "jim\\'s house" or "'jim\\'s house'"

HTH

-Mark




More information about the Python-list mailing list