[Tutor] SQL Queries For MySQL
johnf
jfabiani at yolo.com
Thu Oct 12 23:46:07 CEST 2006
On Thursday 12 October 2006 07:14, Jason Massey wrote:
> On 10/12/06, johnf <jfabiani at yolo.com> wrote:
> > On Thursday 12 October 2006 00:31, Alan Gauld wrote:
> > > > query = "SELECT * FROM DB WHERE NAME = %s" % (name)
> > > > cursor.execute(query)
> > >
> > > There can be security issues with this style, especially
> > > if the parameters can be modified by users - for example
> > > you read the values from a web page.
> > >
> > > The cursor.execute() call has the ability to pass the parameters
> > > in directly, ie combining the two statements above into one.
> > > The details of how ypou do that varies between database
> > > drivers so you need to check the documents but I think for
> > > MySQL its almost an exact translation:
> > >
> > > query = "SELECT * FROM DB WHERE NAME = %s"
> > > cursor.execute(query, name)
> > >
> > > If you search the ist archives you'll find a fairly long thread
> > > describing the whys/wherefores in much more depth.
> > >
> > > HTH,
> >
> > Since the archive is large - could you provide the subject title.
> >
> > Thanks
> > John
> > _______________________________________________
> > Tutor maillist - Tutor at python.org
> > http://mail.python.org/mailman/listinfo/tutor
>
> Forgot to forward to the list...
>
> Check out this posting from Danny:
>
> http://mail.python.org/pipermail/tutor/2003-April/022010.html
OK from what I understand you are concerned with "SQL injection". But I don't
see the difference between the two statements preventing "SQL injection".
Can someone explain.
John
More information about the Tutor
mailing list