[Tutor] preventing SQL injection
jfabiani at yolo.com
Fri Jan 11 19:56:19 CET 2008
On Friday 11 January 2008 10:20:13 am Alan Gauld wrote:
> "johnf" <jfabiani at yolo.com> wrote
> > and should be doing
> > tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
> > seq", ( 'public.arcust', 'pkid' ) )
> > which prevented SQL injection.
> The syntax of the execute statement varies by database
> Which DB are you using. For example SQLite uses ?
> instead of %s indicators.
> Could that be the issue? Have you checked the DB-API
> guide for your database?
I spoke to soon. Where can I find the DB-API for postgres? Because the only
way I can get this to work is using ('%s') and it does not work with (%s).
BTW where I'm doing my testing is with a SELECT statement.
below does not work
mySQL= "Select fieldname from tableName where str_field = %s" % (myVar,)
but this works
mySQL= "Select fieldname from tableName where str_field = '%s' " % (myVar,)
More information about the Tutor