MySQL Database
MRAB
python at mrabarnett.plus.com
Wed May 8 15:07:39 EDT 2013
On 08/05/2013 19:52, Kevin Holleran wrote:
> Hello,
>
> I want to connect to a MySQL database, query for some records,
> manipulate some data, and then update the database.
>
> When I do something like this:
>
> db_c.execute("SELECT a, b FROM Users")
>
> for row in db_c.fetchall():
>
> (r,d) = row[0].split('|')
>
> (g,e) = domain.split('.')
>
> db_c.execute("UPDATE Users SET g = '"+ g + "' WHERE a ='"+ row[0])
>
>
> Will using db_c to update the database mess up the loop that is cycling
> through db_c.fetchall()?
>
You shouldn't be building an SQL string like that because it's
susceptible to SQL injection. You should be doing it more like this:
db_c.execute("UPDATE Users SET g = %s WHERE a = %s", (g, row[0]))
The values will then be handled safely for you.
More information about the Python-list
mailing list