MySQLdb not allowing hyphen
emekamicro at gmail.com
Sun Feb 5 18:52:28 EST 2012
Dennis , Chris
Thanks so much!
On Mon, Feb 6, 2012 at 1:23 AM, Dennis Lee Bieber <wlfraed at ix.netcom.com>wrote:
> On Mon, 6 Feb 2012 00:41:24 +0200, Emeka <emekamicro at gmail.com> wrote:
> >Hello All,
> >I noticed that MySQLdb not allowing hyphen may be way to prevent injection
> What hyphen?
> >I have something like below:
> >"insert into reviews(message, title)values('%s', '%s')" %( "We don't know
> >where to go","We can't wait till morrow" )
> >How do I work around this error?
> Very simple... DON'T QUOTE PLACEHOLDERS AND USE MySQLdb
> parameterized queries.
> csr.execute("insert into reviews (message, title) values (%s, %s)",
> ( "We don't know where to go",
> "We can't wait till <sic> morrow" ) )
> The whole purpose of parameterized queries is that the .execute()
> logic will SAFELY wrap the supplied values with quotes AND escape any
> problem characters within the value.
> The reason you got an error was not a hyphen (there are no hyphens
> in your example) but rather that you closed the quote. Your generated
> SQL was:
> insert into reviews (message, title) values ('We don't know where to
> go', 'We can't wait till morrow')
> which means a string of:
> "We don"
> SQL garbage
> t know where to go
> ", "
> SQL garbage
> We can
> and another string
> "t wait till morrow"
> Wulfraed Dennis Lee Bieber AF6VN
> wlfraed at ix.netcom.com HTTP://wlfraed.home.netcom.com/
*Satajanus Nig. Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Python-list