Another MySQL Images Question

Victor Subervi victorsubervi at gmail.com
Fri Apr 18 19:06:54 CEST 2008


Thank you. That worked.
Victor

On Fri, Apr 18, 2008 at 10:48 AM, J. Cliff Dyer <jcd at unc.edu> wrote:

> There are several problems with your SQL, but not all of them would be
> caught by the computer.  Your SELECT statement is not parameterized.
> This is a security problem.  *Always* parameterize your variables.  Your
> UPDATE statement has an extraneous comma at the end, and it also has
> quotes around the "%s"es that you don't need, because you already
> parameterized that query.  Your dbapi interface will provide appropriate
> quoting for whatever type of data you pass it.
>
> Cheers,
> Cliff
>
>
> On Fri, 2008-04-18 at 10:13 -0500, Victor Subervi wrote:
> > Hi;
> > If I grab an image in the database thus:
> >
> >       sql = "select pic1 from products where id='" + str(id) + "';"
> >       cursor.execute(sql)
> >       pic1 = cursor.fetchall()[0][0].tostring()
> > #      pic1 = cursor.fetchall()[0][0]  // either this or the above
> > line
> >
> > and try and re-insert it thus:
> >
> >       cursor.execute('update products set pic1="%s" where id="%s", ;',
> > (pic1, id))
> >
> > it tells me I have an error in my MySQL syntax. What is the error?
> > TIA,
> > Victor
> --
> Oook,
> J. Cliff Dyer
> Carolina Digital Library and Archives
> UNC Chapel Hill
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20080418/05a55a50/attachment.html>


More information about the Python-list mailing list