Why Doesn't This MySQL Statement Execute?

Hans Mulder hansmu at xs4all.nl
Tue Dec 18 23:57:10 CET 2012


On 18/12/12 22:34:08, Tom Borkin wrote:
> Hi;
> I have this test code:
>  
>     if i_id == "1186":
>       sql = 'insert into interactions values(Null, %s, "Call Back",
> "%s")' % (i_id, date_plus_2)
>       cursor.execute(sql)
>       db.commit()
>       print sql
> It prints the sql statement, but it doesn't execute. If I copy and paste
> the sql into the mysql command line it does execute without warnings or
> errors. What gives?

What happens if you do:


    if i_id == "1186":
      sql = 'insert into interactions values(Null, %s, "Call Back", %s)'
      cursor.execute(sql, (i_id, date_plus_2))
      db.commit()
      print sql

Note the absence of quotes around the second %s in the sql command.

This should work correctly even if date_plus_2 happens to contain

     Robert"); DROP TABLE interactions; --


For background information, see http://bobby-tables.com/python.html


Hope this helps,

-- HansM



More information about the Python-list mailing list