[Tutor] preventing SQL injection
kent37 at tds.net
Fri Jan 11 20:19:43 CET 2008
> I spoke to soon. Where can I find the DB-API for postgres? Because the only
> way I can get this to work is using ('%s') and it does not work with (%s).
What module are you using to connect to postgres? That module should
implement DB-API as documented here:
The module itself should have a paramstyle attribute that shows what
kind of parameter passing it expects:
In : import psycopg2
In : psycopg2.paramstyle
The meaning of the paramstyle is documented (somewhat) in PEP 249.
> BTW where I'm doing my testing is with a SELECT statement.
> below does not work
> mySQL= "Select fieldname from tableName where str_field = %s" % (myVar,)
> but this works
> mySQL= "Select fieldname from tableName where str_field = '%s' " % (myVar,)
Can you post a small, complete program containing both the working and
non-working variants and show the complete output of the program?
More information about the Tutor