MySQLdb not allowing hyphen
John Nagle
nagle at animats.com
Wed Feb 8 14:41:44 EST 2012
On 2/5/2012 2:46 PM, Chris Rebert wrote:
> On Sun, Feb 5, 2012 at 2:41 PM, Emeka<emekamicro at gmail.com> wrote:
>>
>> Hello All,
>>
>> I noticed that MySQLdb not allowing hyphen may be way to prevent injection
>> attack.
>> I have something like below:
>>
>> "insert into reviews(message, title)values('%s', '%s')" %( "We don't know
>> where to go","We can't wait till morrow" )
>>
>> ProgrammingError(1064, "You have an error in your SQL syntax; check the
>> manual that corresponds to your MySQL server version for the right syntax to
>> use near 't know where to go.
>>
>> How do I work around this error?
>
> Don't use raw SQL strings in the first place. Use a proper
> parameterized query, e.g.:
>
> cursor.execute("insert into reviews(message, title) values (%s, %s)",
> ("We don't know where to go", "We can't wait till morrow"))
Yes. You are doing it wrong. Do NOT use the "%" operator when
putting SQL queries together. Let "cursor.execute" fill them
in. It knows how to escape special characters in the input fields,
which will fix your bug and prevent SQL injection.
John Nagle
More information about the Python-list
mailing list