[Tutor] SQL Queries For MySQL
Alan Gauld
alan.gauld at btinternet.com
Thu Oct 12 09:31:04 CEST 2006
> query = "SELECT * FROM DB WHERE NAME = %s" % (name)
> cursor.execute(query)
There can be security issues with this style, especially
if the parameters can be modified by users - for example
you read the values from a web page.
The cursor.execute() call has the ability to pass the parameters
in directly, ie combining the two statements above into one.
The details of how ypou do that varies between database
drivers so you need to check the documents but I think for
MySQL its almost an exact translation:
query = "SELECT * FROM DB WHERE NAME = %s"
cursor.execute(query, name)
If you search the ist archives you'll find a fairly long thread
describing the whys/wherefores in much more depth.
HTH,
--
Alan Gauld
Author of the Learn to Program web site
http://www.freenetpages.co.uk/hp/alan.gauld
More information about the Tutor
mailing list