[Tutor] preventing SQL injection

Kent Johnson kent37 at tds.net
Fri Jan 11 20:19:43 CET 2008


johnf wrote:
> I spoke to soon.  Where can I find the DB-API for postgres?  Because the only 
> way I can get this to work is using ('%s') and it does not work with (%s).

What module are you using to connect to postgres? That module should 
implement DB-API as documented here:
http://www.python.org/dev/peps/pep-0249/

The module itself should have a paramstyle attribute that shows what 
kind of parameter passing it expects:
In [5]: import psycopg2
In [6]: psycopg2.paramstyle
Out[6]: 'pyformat'

The meaning of the paramstyle is documented (somewhat) in PEP 249.

> BTW where I'm doing my testing is with a SELECT statement.
> 
> below does not work
> mySQL= "Select fieldname from tableName where str_field = %s" % (myVar,)
> 
> but this works
> mySQL= "Select fieldname from tableName where str_field = '%s' " % (myVar,)

Can you post a small, complete program containing both the working and 
non-working variants and show the complete output of the program?

Kent


More information about the Tutor mailing list