[Tutor] preventing SQL injection
jfabiani at yolo.com
Fri Jan 11 18:30:16 CET 2008
On Friday 11 January 2008 09:14:25 am Simone wrote:
> johnf ha scritto:
> > But the above does not work when I use variables instead of strings as in
> > tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
> > seq", ( tableName, fieldName ) )
> > So how am I suppose to prevent SQL injections?????
> Try tu use '?' instead of %s, like this:
> tempCursor.execute ( "Select pg_get_serial_sequence ( ?, ? ) as seq", (
> tableName, fieldName ) )
> For further information see PEP 249
Thanks I think I see the issue. The Qmark etc.. was the clue.
More information about the Tutor