Prev: Python Portability--Not very portable?
Next: Import python modules from sub-directories
From: John Nagle on 6 Aug 2010 01:13
On 8/4/2010 4:40 PM, ����� wrote:

> cursor.execute( ''' SELECT host, hits, date FROM visitors WHERE page
> = '%s' ORDER BY date DESC ''' % (page) )

Don't do string substitution ("%") on SQL statements. Let MySQLdb do it
for you, with proper escaping:

cursor.execute('''SELECT host, hits, date FROM visitors WHERE page=%s
ORDER BY date DESC''', (page,))

The difference is that if some external source can control "page", and
they put in a value like

100 ; DELETE FROM visitors; SELECT * FROM visitors

you just lost your data.

John Nagle
 | 
Pages: 1
Prev: Python Portability--Not very portable?
Next: Import python modules from sub-directories