[Tutor] preventing SQL injection
Simone
simozack at yahoo.it
Fri Jan 11 18:14:25 CET 2008
johnf ha scritto:
> But the above does not work when I use variables instead of strings as in
>
> tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
> seq", ( tableName, fieldName ) )
>
> So how am I suppose to prevent SQL injections?????
Try tu use '?' instead of %s, like this:
tempCursor.execute ( "Select pg_get_serial_sequence ( ?, ? ) as seq", (
tableName, fieldName ) )
For further information see PEP 249
(http://www.python.org/dev/peps/pep-0249/)
HTH!
Simone
Chiacchiera con i tuoi amici in tempo reale!
http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com
More information about the Tutor
mailing list