Another MySQL Images Question
victorsubervi at gmail.com
Fri Apr 18 19:06:54 CEST 2008
Thank you. That worked.
On Fri, Apr 18, 2008 at 10:48 AM, J. Cliff Dyer <jcd at unc.edu> wrote:
> There are several problems with your SQL, but not all of them would be
> caught by the computer. Your SELECT statement is not parameterized.
> This is a security problem. *Always* parameterize your variables. Your
> UPDATE statement has an extraneous comma at the end, and it also has
> quotes around the "%s"es that you don't need, because you already
> parameterized that query. Your dbapi interface will provide appropriate
> quoting for whatever type of data you pass it.
> On Fri, 2008-04-18 at 10:13 -0500, Victor Subervi wrote:
> > Hi;
> > If I grab an image in the database thus:
> > sql = "select pic1 from products where id='" + str(id) + "';"
> > cursor.execute(sql)
> > pic1 = cursor.fetchall().tostring()
> > # pic1 = cursor.fetchall() // either this or the above
> > line
> > and try and re-insert it thus:
> > cursor.execute('update products set pic1="%s" where id="%s", ;',
> > (pic1, id))
> > it tells me I have an error in my MySQL syntax. What is the error?
> > TIA,
> > Victor
> J. Cliff Dyer
> Carolina Digital Library and Archives
> UNC Chapel Hill
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Python-list