MySQLdb not allowing hyphen

John Nagle nagle at animats.com
Wed Feb 8 14:41:44 EST 2012


On 2/5/2012 2:46 PM, Chris Rebert wrote:
> On Sun, Feb 5, 2012 at 2:41 PM, Emeka<emekamicro at gmail.com>  wrote:
>>
>> Hello All,
>>
>> I noticed that MySQLdb not allowing hyphen may be way to prevent injection
>> attack.
>> I have something like below:
>>
>> "insert into reviews(message, title)values('%s', '%s')" %( "We don't know
>> where to go","We can't wait till morrow" )
>>
>> ProgrammingError(1064, "You have an error in your SQL syntax; check the
>> manual that corresponds to your MySQL server version for the right syntax to
>> use near 't know where to go.
>>
>> How do I work around this error?
>
> Don't use raw SQL strings in the first place. Use a proper
> parameterized query, e.g.:
>
> cursor.execute("insert into reviews(message, title) values (%s, %s)",
>      ("We don't know where to go", "We can't wait till morrow"))

   Yes.  You are doing it wrong.  Do NOT use the "%" operator when
putting SQL queries together.  Let "cursor.execute" fill them
in.  It knows how to escape special characters in the input fields,
which will fix your bug and prevent SQL injection.

					John Nagle



More information about the Python-list mailing list