Another MySQL Problem
Stephen Hansen
ixokai at ixokai.io
Wed Jun 23 13:08:07 EDT 2010
On Jun 23, 2010, at 9:12 AM, Paul Rubin <no.email at nospam.invalid> wrote:
Stephen Hansen <me+list/python at ixokai.io> writes:
On 6/23/10 6:45 AM, Victor Subervi wrote:
cursor.execute('select clientEmail from clients where client=%s', ...
Do, 'client.replace("_", " ")' instead.
Er, look what happened to Little Bobby Tables (a quick web search on his
name should find his story) because someone wrote code like that.
Really, write the code a different way, with a prepared query.
I think you misread. He is using parameterized queries-- just
incorrectly, as addressed later that you didn't quote. He isn't using
string formatting to generate the SQL. The mysql layer just uses %s as
a marker.
The line you did quote was just about using string methods for the
data to pass into the parameterized query-- not for SQL purposes but
just because the data in the table apparently has spaces and the data
in this part of his app has underscores. For some reason.
--Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20100623/42a6d4f4/attachment-0001.html>
More information about the Python-list
mailing list