[Tutor] SQL Queries For MySQL
python at venix.com
Fri Oct 13 01:51:06 CEST 2006
On Thu, 2006-10-12 at 14:46 -0700, johnf wrote:
> On Thursday 12 October 2006 07:14, Jason Massey wrote:
> > On 10/12/06, johnf <jfabiani at yolo.com> wrote:
> > > On Thursday 12 October 2006 00:31, Alan Gauld wrote:
> > > > > query = "SELECT * FROM DB WHERE NAME = %s" % (name)
> > > > > cursor.execute(query)
> > > > query = "SELECT * FROM DB WHERE NAME = %s"
> > > > cursor.execute(query, name)
> OK from what I understand you are concerned with "SQL injection". But I don't
> see the difference between the two statements preventing "SQL injection".
Suppose name = 'x"; DELETE FROM DB; SELECT COUNT(*) FROM DB; SELECT FROM DB WHERE NAME = "x'
The first version will simply build a string with the SQL command
interpolating name. The where quote (") gets closed and semicolons
separate SQL commands. The sequence of commands gets executed.
The second version will escape the quotes and semicolons in the name
string. You will simply try to match a rather odd looking name. You
could do the escaping yourself before doing the string interpolation,
but the DB module is already set up to do the work for you.
> Can someone explain.
> Tutor maillist - Tutor at python.org
More information about the Tutor