[Tutor] preventing SQL injection
alan.gauld at btinternet.com
Fri Jan 11 19:20:13 CET 2008
"johnf" <jfabiani at yolo.com> wrote
> and should be doing
> tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
> seq", ( 'public.arcust', 'pkid' ) )
> which prevented SQL injection.
The syntax of the execute statement varies by database
Which DB are you using. For example SQLite uses ?
instead of %s indicators.
Could that be the issue? Have you checked the DB-API
guide for your database?
Author of the Learn to Program web site
More information about the Tutor