AttributeError: 'tuple' object has no attribute 'encode'
Paul Boddie
paul at boddie.org.uk
Thu Apr 5 13:55:22 EDT 2007
Lenard Lindstrom wrote:
> >
> > I'm trying to build a SQL string
> >
> > sql = """INSERT INTO ag ('cid', 'ag', 'test') VALUES(%i, %s, %d)""",
> > (cid, ag, self.data[parent][child]['results']['test'])
>
> I am guessing you want the string formatting operator here:
>
> sql = """...""" % (cid, ...)
That's a superficial solution which encourages a bad practice: if any
of that data can be subverted to modify the query, as opposed to
merely providing a simple value, then you have a vulnerability in your
code. Perhaps the %i and %d substitutions may prevent such things, but
the %s substitution won't.
Paul
More information about the Python-list
mailing list