[Tutor] preventing SQL injection

Kent Johnson kent37 at tds.net
Fri Jan 11 17:55:25 CET 2008


johnf wrote:
> Hi,
> I was recently told I was doing something wrong with my python sql statements.
> I was doing
> tempCursor.execute("Select pg_get_serial_sequence('%s','%s') as seq  
>  " % ('public.arcust','pkid'))
> 
> and should be doing
> tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as  
> seq", ( 'public.arcust', 'pkid' ) )
> 
> which prevented SQL injection.

Yes, good advice.

> But the above does not work when I use variables instead of strings as in
> 
> tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as  
> seq", ( tableName, fieldName ) )

That should work, can you show us a bit more code? What is in tableName 
and fieldName?

If this works:
tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
seq", ( 'public.arcust', 'pkid' ) )

Then so should this:
tableName = 'public.arcust'
fieldName = 'pkid'
tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
seq", (tableName , fieldName) )

Kent


More information about the Tutor mailing list