sql using characters like é and ã

Magnus Lycka lycka at carmen.se
Tue Dec 13 13:50:37 CET 2005


Diez B. Roggisch wrote:
> "Select * from table where name like '%s%%'" %
> "José".decode("latin-1").encode("utf-8")

Ouch! Please use parameter passing instead of building full SQL
statements with embedded parameter values. You're opening up for
SQL injection attacks if you allow user provided input in SQL code.

Imagine that instead of "José", you had gotten
"';DELETE FROM TABLE;SELECT * FROM TABLE WHERE NAME LIKE='"



More information about the Python-list mailing list