Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #44960
| Date | 2013-05-08 20:07 +0100 |
|---|---|
| From | MRAB <python@mrabarnett.plus.com> |
| Subject | Re: MySQL Database |
| References | <CAN4UfGzbtM1vtW4EvmjYq0gDAcCzaQTJrPKhuk=VTTTwgH7sZQ@mail.gmail.com> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.1454.1368040063.3114.python-list@python.org> (permalink) |
On 08/05/2013 19:52, Kevin Holleran wrote:
> Hello,
>
> I want to connect to a MySQL database, query for some records,
> manipulate some data, and then update the database.
>
> When I do something like this:
>
> db_c.execute("SELECT a, b FROM Users")
>
> for row in db_c.fetchall():
>
> (r,d) = row[0].split('|')
>
> (g,e) = domain.split('.')
>
> db_c.execute("UPDATE Users SET g = '"+ g + "' WHERE a ='"+ row[0])
>
>
> Will using db_c to update the database mess up the loop that is cycling
> through db_c.fetchall()?
>
You shouldn't be building an SQL string like that because it's
susceptible to SQL injection. You should be doing it more like this:
db_c.execute("UPDATE Users SET g = %s WHERE a = %s", (g, row[0]))
The values will then be handled safely for you.
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: MySQL Database MRAB <python@mrabarnett.plus.com> - 2013-05-08 20:07 +0100
csiph-web