Sqlite format string
Tim Chase
python.list at tim.thechases.com
Sat Aug 29 18:26:38 EDT 2009
ivanko.rus at gmail.com wrote:
> 29.08.2009 15:40 пользователь "Sergio Charpinel Jr."
> <sergiocharpinel at gmail.com> написал:
>> Thanks.
>> Do you know if both of them works for mysql too?
>
>> 2009/8/29 ivanko.rus at gmail.com>
>
>> 29.08.2009 15:27 пользователь "Sergio Charpinel Jr."
>> sergiocharpinel at gmail.com> написал:
>
> Actually, this works for any string (it doesn't depend on anything else).
> So you can pass "somestring {0}".format(foo) to any function because the
> string will be formatted _first_ and then passed as an argument. The same
> goes with "somestring %s" % "foo". Both will work
Bad idea when assembling SQL, unless you _like_ SQL-injection
attacks:
sql = "select * from users where name='%s' and password='%s'"
# get some values from an untrusted user:
name = "administrator"
password = "' or 1=1; drop table users; --"
cursor.execute(sql % (name, password))
# uh-oh!
This is why it's so important to use the DB API's own escaping
functions.
-tkc
More information about the Python-list
mailing list