Another MySQL Problem

Stephen Hansen ixokai at ixokai.io
Wed Jun 23 13:08:07 EDT 2010


On Jun 23, 2010, at 9:12 AM, Paul Rubin <no.email at nospam.invalid> wrote:

Stephen Hansen <me+list/python at ixokai.io> writes:

On 6/23/10 6:45 AM, Victor Subervi wrote:

 cursor.execute('select clientEmail from clients where client=%s', ...

Do, 'client.replace("_", " ")' instead.


Er, look what happened to Little Bobby Tables (a quick web search on his
name should find his story) because someone wrote code like that.
Really, write the code a different way, with a prepared query.


I think you misread. He is using parameterized queries-- just
incorrectly, as addressed later that you didn't quote. He isn't using
string formatting to generate the SQL. The mysql layer just uses %s as
a marker.

The line you did quote was just about using string methods for the
data to pass into the parameterized query-- not for SQL purposes but
just because the data in the table apparently has spaces and the data
in this part of his app has underscores. For some reason.

--Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20100623/42a6d4f4/attachment.html>


More information about the Python-list mailing list