[Tutor] SQL Queries For MySQL
Python
python at venix.com
Thu Oct 12 16:19:13 CEST 2006
On Thu, 2006-10-12 at 06:19 -0700, johnf wrote:
> On Thursday 12 October 2006 00:31, Alan Gauld wrote:
> > > query = "SELECT * FROM DB WHERE NAME = %s" % (name)
> > > cursor.execute(query)
> >
> > There can be security issues with this style, especially
> > if the parameters can be modified by users - for example
> > you read the values from a web page.
> >
> > The cursor.execute() call has the ability to pass the parameters
> > in directly, ie combining the two statements above into one.
> > The details of how ypou do that varies between database
> > drivers so you need to check the documents but I think for
> > MySQL its almost an exact translation:
> >
> > query = "SELECT * FROM DB WHERE NAME = %s"
> > cursor.execute(query, name)
> >
> > If you search the ist archives you'll find a fairly long thread
> > describing the whys/wherefores in much more depth.
> >
> > HTH,
> Since the archive is large - could you provide the subject title.
http://www.google.com/search?hl=en&q=cursor.execute+tutor+python&btnG=Google+Search
The above google search should get you pretty close. It is looking for:
cursor.execute tutor python
In particular, this link (from the first page)
http://www.mail-archive.com/tutor@python.org/msg15716.html
is probably part of the thread you want.
>
> Thanks
> John
> _______________________________________________
> Tutor maillist - Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor
--
Lloyd Kvam
Venix Corp
More information about the Tutor
mailing list