Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #19879
| References | <CAOypoo5Y8cOB015ngO9K7UEqu0AEdRPGuhpzrjZuXjE+nbh-uw@mail.gmail.com> |
|---|---|
| Date | 2012-02-05 14:46 -0800 |
| Subject | Re: MySQLdb not allowing hyphen |
| From | Chris Rebert <clp2@rebertia.com> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.5458.1328481998.27778.python-list@python.org> (permalink) |
On Sun, Feb 5, 2012 at 2:41 PM, Emeka <emekamicro@gmail.com> wrote:
>
> Hello All,
>
> I noticed that MySQLdb not allowing hyphen may be way to prevent injection
> attack.
> I have something like below:
>
> "insert into reviews(message, title)values('%s', '%s')" %( "We don't know
> where to go","We can't wait till morrow" )
>
> ProgrammingError(1064, "You have an error in your SQL syntax; check the
> manual that corresponds to your MySQL server version for the right syntax to
> use near 't know where to go.
>
> How do I work around this error?
Don't use raw SQL strings in the first place. Use a proper
parameterized query, e.g.:
cursor.execute("insert into reviews(message, title) values (%s, %s)",
("We don't know where to go", "We can't wait till morrow"))
Cheers,
Chris
Back to comp.lang.python | Previous | Next — Next in thread | Find similar | Unroll thread
Re: MySQLdb not allowing hyphen Chris Rebert <clp2@rebertia.com> - 2012-02-05 14:46 -0800 Re: MySQLdb not allowing hyphen John Nagle <nagle@animats.com> - 2012-02-08 11:41 -0800
csiph-web