[Tutor] preventing SQL injection

Alan Gauld alan.gauld at btinternet.com
Fri Jan 11 19:20:13 CET 2008

"johnf" <jfabiani at yolo.com> wrote 

> and should be doing
> tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as 
> seq", ( 'public.arcust', 'pkid' ) )
> which prevented SQL injection.

The syntax of the execute statement varies by database
Which DB are you using. For example SQLite uses ? 
instead of %s indicators.

Could that be the issue? Have you checked the DB-API 
guide for your database?


Alan Gauld
Author of the Learn to Program web site

More information about the Tutor mailing list