sql escaping module

David Bear david.bear at asu.edu
Thu Dec 8 20:07:03 CET 2005


Fredrik Lundh wrote:

> David Bear wrote:
> 
>> Being new to pgdb, I'm finding there are lot of things I don't understand
>> when I read the PEP and the sparse documentation on pgdb.
>>
>> I was hoping there would be a module that would properly escape longer
>> text strings to prevent sql injection -- and other things just make sure
>> the python string object ends up being a properly type for postgresql.
>> I've bought 3 books on postgresql and none of th code samples demonstrate
>> this.
>>
>> web searchs for 'python sql escape  string' yeild way too many results.
>>
>> Any pointers would be greatly appreciated.
> 
> for x in range(1000000):
>     print "USE PARAMETERS TO PASS VALUES TO THE DATABASE"
> 
> </F>
Yes. Fredrik and others. Thank you for the advice.

I know have the following code:

..
    parmChar = '%s'
    sqlInsert = """INSERT INTO %s (%s) VALUES (%s); """ % (tn, ",
        ".join(fieldnames), ", ".join([parmChar] * len(fieldnames)))
    try:
        cursor.execute(sqlInsert, datum)
    except pgdb.DatabaseError:
        logerror("Error on record insert \n %s \n %s" % (sqlInsert, 
           traceback.print_exc()))

I was not aware that the python db interface would just handle proper
escaping of python data types to proper postgresql data types.

Any other hints on database programming much appreciated.

-- 
David Bear
-- let me buy your intellectual property, I want to own your thoughts --



More information about the Python-list mailing list