[Tutor] SQL Queries For MySQL
Jason Massey
jason.massey at gmail.com
Thu Oct 12 16:14:59 CEST 2006
On 10/12/06, johnf <jfabiani at yolo.com> wrote:
>
>
> On Thursday 12 October 2006 00:31, Alan Gauld wrote:
> > > query = "SELECT * FROM DB WHERE NAME = %s" % (name)
> > > cursor.execute(query)
> >
> > There can be security issues with this style, especially
> > if the parameters can be modified by users - for example
> > you read the values from a web page.
> >
> > The cursor.execute() call has the ability to pass the parameters
> > in directly, ie combining the two statements above into one.
> > The details of how ypou do that varies between database
> > drivers so you need to check the documents but I think for
> > MySQL its almost an exact translation:
> >
> > query = "SELECT * FROM DB WHERE NAME = %s"
> > cursor.execute(query, name)
> >
> > If you search the ist archives you'll find a fairly long thread
> > describing the whys/wherefores in much more depth.
> >
> > HTH,
> Since the archive is large - could you provide the subject title.
>
> Thanks
> John
> _______________________________________________
> Tutor maillist - Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor
>
Forgot to forward to the list...
Check out this posting from Danny:
http://mail.python.org/pipermail/tutor/2003-April/022010.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/tutor/attachments/20061012/1b2f7b7a/attachment.htm
More information about the Tutor
mailing list