[Tutor] Parameterized Queries failing on MySQL
__peter__ at web.de
Thu Dec 16 14:23:06 CET 2010
Shea Grove wrote:
>> I'm using pyodbc to interact with MS SQL Server and I'm starting to
>> support mysql. My issue is that when I use a parameterized query, it
>> works for SQL Server, but crashes when I point to MySQL.
I assume it raise an Exception.
>> Is there a different syntax that I should be using? or module?
MySQLdb uses a different paramstyle "format" (see
>> query='insert into RestaurantTable values (?, ?, ?, ?, ?, ?, ?, ?, ?)'
query = 'insert into RestaurantTable values (%s, %s, %s, %s, %s, %s, %s, %s,
>> mcursor.execute(query, params)
but *never* change the above to
mcursor.execute(query % params) #WRONG
which unfortunately will work most of the time with that paramstyle while
making your app vulnerable to sql injection as demonstrated here:
More information about the Tutor