[Tutor] preventing SQL injection
johnf
jfabiani at yolo.com
Fri Jan 11 17:26:25 CET 2008
Hi,
I was recently told I was doing something wrong with my python sql statements.
I was doing
tempCursor.execute("Select pg_get_serial_sequence('%s','%s') as seq
" % ('public.arcust','pkid'))
and should be doing
tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
seq", ( 'public.arcust', 'pkid' ) )
which prevented SQL injection.
But the above does not work when I use variables instead of strings as in
tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
seq", ( tableName, fieldName ) )
So how am I suppose to prevent SQL injections?????
--
John Fabiani
More information about the Tutor
mailing list