[Tutor] preventing SQL injection
johnf
jfabiani at yolo.com
Fri Jan 11 19:56:19 CET 2008
On Friday 11 January 2008 10:20:13 am Alan Gauld wrote:
> "johnf" <jfabiani at yolo.com> wrote
>
> > and should be doing
> > tempCursor.execute ( "Select pg_get_serial_sequence ( %s, %s ) as
> > seq", ( 'public.arcust', 'pkid' ) )
> >
> > which prevented SQL injection.
>
> The syntax of the execute statement varies by database
> Which DB are you using. For example SQLite uses ?
> instead of %s indicators.
>
> Could that be the issue? Have you checked the DB-API
> guide for your database?
>
> HTH,
I spoke to soon. Where can I find the DB-API for postgres? Because the only
way I can get this to work is using ('%s') and it does not work with (%s).
BTW where I'm doing my testing is with a SELECT statement.
below does not work
mySQL= "Select fieldname from tableName where str_field = %s" % (myVar,)
but this works
mySQL= "Select fieldname from tableName where str_field = '%s' " % (myVar,)
--
John Fabiani
More information about the Tutor
mailing list