[Tutor] preventing SQL injection
Kent Johnson
kent37 at tds.net
Fri Jan 11 17:55:25 CET 2008
johnf wrote:
> Hi,
> I was recently told I was doing something wrong with my python sql statements.
> I was doing
> tempCursor.execute("Select pg_get_serial_sequence('%s','%s') as seq
> " % ('public.arcust','pkid'))
>
> and should be doing
> tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
> seq", ( 'public.arcust', 'pkid' ) )
>
> which prevented SQL injection.
Yes, good advice.
> But the above does not work when I use variables instead of strings as in
>
> tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
> seq", ( tableName, fieldName ) )
That should work, can you show us a bit more code? What is in tableName
and fieldName?
If this works:
tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
seq", ( 'public.arcust', 'pkid' ) )
Then so should this:
tableName = 'public.arcust'
fieldName = 'pkid'
tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
seq", (tableName , fieldName) )
Kent
More information about the Tutor
mailing list