[Tutor] ODBC SQL Server Question
Kent Johnson
kent37 at tds.net
Fri Sep 18 19:00:38 CEST 2009
On Fri, Sep 18, 2009 at 11:49 AM, Jeff Johnson <jeff at dcsoftware.com> wrote:
> Kristina:
>
> I would format it as follows:
>
> self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME = '%s'" % name)
No, that is a recipe for SQL injection attacks such as this:
http://xkcd.com/327/
>> self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name))
I think that should have a comma to create a tuple:
self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name,))
I don't know if that could cause your problem.
Kent
More information about the Tutor
mailing list