[Tutor] SQL Queries For MySQL
johnf
jfabiani at yolo.com
Thu Oct 12 15:19:30 CEST 2006
On Thursday 12 October 2006 00:31, Alan Gauld wrote:
> > query = "SELECT * FROM DB WHERE NAME = %s" % (name)
> > cursor.execute(query)
>
> There can be security issues with this style, especially
> if the parameters can be modified by users - for example
> you read the values from a web page.
>
> The cursor.execute() call has the ability to pass the parameters
> in directly, ie combining the two statements above into one.
> The details of how ypou do that varies between database
> drivers so you need to check the documents but I think for
> MySQL its almost an exact translation:
>
> query = "SELECT * FROM DB WHERE NAME = %s"
> cursor.execute(query, name)
>
> If you search the ist archives you'll find a fairly long thread
> describing the whys/wherefores in much more depth.
>
> HTH,
Since the archive is large - could you provide the subject title.
Thanks
John
More information about the Tutor
mailing list