Struggling to convert a mysql datetime object to a python string of a different format
John Nagle
nagle at animats.com
Fri Aug 6 01:13:26 EDT 2010
On 8/4/2010 4:40 PM, Νίκος wrote:
> cursor.execute( ''' SELECT host, hits, date FROM visitors WHERE page
> = '%s' ORDER BY date DESC ''' % (page) )
Don't do string substitution ("%") on SQL statements. Let MySQLdb do it
for you, with proper escaping:
cursor.execute('''SELECT host, hits, date FROM visitors WHERE page=%s
ORDER BY date DESC''', (page,))
The difference is that if some external source can control "page", and
they put in a value like
100 ; DELETE FROM visitors; SELECT * FROM visitors
you just lost your data.
John Nagle
More information about the Python-list
mailing list