Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!lightspeed.eweka.nl!lightspeed.eweka.nl!newsfeed.xs4all.nl!newsfeed1a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.004 X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'broken': 0.04; '(even': 0.05; 'subject:help': 0.08; 'string': 0.09; 'defines': 0.09; 'cc:addr:python-list': 0.11; 'python': 0.11; "(it's": 0.16; 'api,': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'instead:': 0.16; 'method;': 0.16; 'name)': 0.16; 'quoted': 0.16; 'substitute': 0.16; 'sat,': 0.16; 'wrote:': 0.18; 'value.': 0.19; 'meant': 0.20; 'aug': 0.22; 'cc:addr:python.org': 0.22; 'cc:2**0': 0.24; 'sort': 0.25; 'this:': 0.26; 'values': 0.27; 'header:In-Reply-To:1': 0.27; 'message-id:@mail.gmail.com': 0.30; '(which': 0.31; 'program,': 0.31; 'subject:some': 0.31; 'allows': 0.31; 'file': 0.32; 'probably': 0.32; 'text': 0.33; 'something': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'really': 0.36; 'next': 0.36; 'too': 0.37; 'ahead': 0.38; 'pm,': 0.38; 'anything': 0.39; 'quote': 0.39; 'even': 0.60; 'skip:u 10': 0.60; 'enclosed': 0.60; 'engines': 0.60; 'most': 0.60; 'john': 0.61; 'toy': 0.84; 'absolutely': 0.87; 'good,': 0.91; 'to:none': 0.92 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=KsAD+UBlB8edcTS4qsmb3YmF/buexze1gGMDhaYZbNM=; b=Xf8v1m7h403ejETkPiRvFsCM3fgqMnFCdlHhnq4WsQ2/sXAffiYsBKKYUurBjGnyxV Ll0NfWLm4TqgkoaxxQhqKmLWRbDfoYloiWuEAyHbP8ESEDwEEwc3QgyEFguKB5sUX/y0 FNjB6epcKUoqhDRZlqrEWZDLucBs7lnCU0k2mdeuGyun+mOR9y84vSPQUN/NNVopfEnk BPOc4HNJBh6q03htKlWsG0CJgM4YteKQuM4O8rkia6NNpDNuFzd42lzlsiY+w+vPqcSF q4DeheKpcmjD84LTpMchf0AAqqh1KEZtg1t8+jotwKPPgegEe6kKGZOZlxWIzbPlfVtV dD7A== MIME-Version: 1.0 X-Received: by 10.50.80.76 with SMTP id p12mr10590701igx.34.1407553404621; Fri, 08 Aug 2014 20:03:24 -0700 (PDT) In-Reply-To: References: Date: Sat, 9 Aug 2014 13:03:24 +1000 Subject: Re: Newbie needing some help From: Chris Angelico Cc: "python-list@python.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 29 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1407553407 news.xs4all.nl 2936 [2001:888:2000:d::a6]:43661 X-Complaints-To: abuse@xs4all.nl X-Received-Bytes: 4706 X-Received-Body-CRC: 3942225853 Xref: csiph.com comp.lang.python:75930 On Sat, Aug 9, 2014 at 12:51 PM, John Gordon wrote: > You probably meant something like this instead: > > sql = "DELETE FROM tblc_users WHERE user_email=%s" % line > > This will substitute the value of line for the %s. > > However, most (all?) SQL databases require string values to be enclosed > in single quotes, and your databse likely defines user_email as a string > value. So you probably actually want something like this: > > sql = "DELETE FROM tblc_users WHERE user_email='%s'" % line > > And even this solution isn't very good, because it allows SQL injection > attacks if your text file contains something nasty. If this is anything > other than a toy program, please take the time to look up prepared > statements. All SQL databases require strings to be quoted (it's part of the SQL spec), although some broken database engines (which I shall not name) do allow other forms of quote than the apostrophe. But I would advise against even suggesting the interpolation method; there's absolutely no reason ever to do this sort of thing - it's just way too fragile. (Even if you think you can get it perfectly right now, do you really want to inflict the headache on the code's next maintainer?) Parameterized queries are a part of the Python database API, so go ahead and use them. ChrisA