MySQL problem

Kent Johnson kent37 at tds.net
Fri Mar 18 18:09:47 CET 2005


wes weston wrote:
> Dennis Lee Bieber wrote:
>>     Try neither, the recommended method is to let the execute() do
>> the formatting... That way /it/ can apply the needed quoting of
>> arguments based upon the type of the data.
>>
>> cursor.execute("insert into produkt1 (MyNumber) values (%d)", (MyValue))
>>
> 
> Dennis,
>    Do you know if this has some efficiency advantage
> or is it just an agreed upon custom.

It may have efficiency advantages if the DB caches requests. But the main advantages are that
- it correctly escapes special chars such as "
- consequently it also protects against SQL injection attacks where MyValue might contain malicious SQL.

Kent



More information about the Python-list mailing list