Sqlite format string

Tim Chase python.list at tim.thechases.com
Sun Aug 30 00:26:38 CEST 2009


ivanko.rus at gmail.com wrote:
> 29.08.2009 15:40 пользователь "Sergio Charpinel Jr."  
> <sergiocharpinel at gmail.com> написал:
>> Thanks.
>> Do you know if both of them works for mysql too?
> 
>> 2009/8/29 ivanko.rus at gmail.com>
> 
>> 29.08.2009 15:27 пользователь "Sergio Charpinel Jr."  
>> sergiocharpinel at gmail.com> написал:
> 
> Actually, this works for any string (it doesn't depend on anything else).  
> So you can pass "somestring {0}".format(foo) to any function because the  
> string will be formatted _first_ and then passed as an argument. The same  
> goes with "somestring %s" % "foo". Both will work

Bad idea when assembling SQL, unless you _like_ SQL-injection 
attacks:

  sql = "select * from users where name='%s' and password='%s'"

  # get some values from an untrusted user:
  name = "administrator"
  password = "' or 1=1; drop table users; --"

  cursor.execute(sql % (name, password))
  # uh-oh!

This is why it's so important to use the DB API's own escaping 
functions.

-tkc








More information about the Python-list mailing list