[Tutor] Didn't take long to hit my next wall!
Kent Johnson
kent37 at tds.net
Sun Apr 16 13:35:26 CEST 2006
Alan Gauld wrote:
> Hi John,
>
> I've no idea why its not working but this illustrates why I prefer to create
> the sql string outside the execute - its a lot easier to debug when you can
> print the string exactly as passed to execute. I know many others like to
> leave execute to do the escaping stuff but I prefer to see what I'm doing
> and put in a little extra effort.
>
> So I would write it as:
>
> query = '''UPDATE cost_grid
> SET cost_1 = %s
> WHERE cost_grid_id = %s
> AND finish_dro = %s'''' % ( a,c,b)
> c.execute(query)
Yikes! Alan! Certainly you know what an SQL injection attack is? And
what if the data contains special characters?
For those who don't know, imagine what happens in the above if
b = '91.4; drop table cost_grid;'
or even
b = 'a;b;"c"update'
Kent
More information about the Tutor
mailing list