[python-win32] How to specify parameters in a query using odbc

Tim Roberts timr at probo.com
Wed Feb 2 19:03:35 CET 2011

Matteo Boscolo wrote:
> try:
> myQuery ="""your sql code """%((‘foo’, ‘bar’))
> and then
> cursor.execute(myQuery)

No, no, no!  Don't EVER do that.  The whole reason these parameter
substitution schemes exist is because it prevents code like this, which
is open to SQL injection attacks.

The only time you should be using Python's % substitution with SQL is
when you need to supply table or field names, and even then you need to
be careful if the names came from user input.  Any time you are
supplying a data value, you should ALWAYS use the API's substitution scheme.

Tim Roberts, timr at probo.com
Providenza & Boekelheide, Inc.

More information about the python-win32 mailing list