Why Doesn't This MySQL Statement Execute?

Tom Borkin borkintom at gmail.com
Tue Dec 18 23:28:09 CET 2012


No (lol). It returns a date as a string: "2012-12-12" for example.
Tom


On Tue, Dec 18, 2012 at 6:02 PM, Wayne Werner <wayne at waynewerner.com> wrote:

> On Tue, 18 Dec 2012, Tom Borkin wrote:
>
>  Hi;
>> I have this test code:
>>
>>     if i_id == "1186":
>>       sql = 'insert into interactions values(Null, %s, "Call Back",
>> "%s")' % (i_id, date_plus_2)
>>       cursor.execute(sql)
>>       db.commit()
>>       print sql
>> It prints the sql statement, but it doesn't execute. If I copy and paste
>> the sql into the mysql command line it does execute without warnings or
>> errors. What gives?
>>
>
> Does date_plus_2 contain
>
>      "Robert"); DROP TABLE interactions; --
>
> By any chance?
> -W
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20121218/7ce28402/attachment.html>


More information about the Python-list mailing list