[Tutor] ODBC SQL Server Question
Jeff Johnson
jeff at dcsoftware.com
Fri Sep 18 21:40:10 CEST 2009
Thanks for the clarification Kent!
Kent Johnson wrote:
> On Fri, Sep 18, 2009 at 2:14 PM, Jeff Johnson <jeff at dcsoftware.com> wrote:
>> Kent:
>>
>> How about this:
>> self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME = '%s'" % (name,
>> ))
>
> No, that has the same result as your original. For example,
> In [3]: name = "Kent'; drop table Stories;--"
>
> In [4]: "SELECT CUSTID FROM Stories WHERE NAME = '%s'" % (name, )
> Out[4]: "SELECT CUSTID FROM Stories WHERE NAME = 'Kent'; drop table Stories;--'"
>
> Oops.
>
>> Question, does execute know to substitute the question mark with name?
>> self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name, ))
>
> Yes, and it will correctly quote name according to the conventions of
> the database in use. (Note that not all DB-API implementations use ?
> as the placeholder; check the docs for the db you are using.)
>
> Kent
--
Jeff
Jeff Johnson
jeff at dcsoftware.com
Phoenix Python User Group - sunpiggies at googlegroups.com
More information about the Tutor
mailing list