Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #19882 > unrolled thread
| Started by | Dennis Lee Bieber <wlfraed@ix.netcom.com> |
|---|---|
| First post | 2012-02-05 18:23 -0500 |
| Last post | 2012-02-05 18:23 -0500 |
| Articles | 1 — 1 participant |
Back to article view | Back to comp.lang.python
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: MySQLdb not allowing hyphen Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2012-02-05 18:23 -0500
| From | Dennis Lee Bieber <wlfraed@ix.netcom.com> |
|---|---|
| Date | 2012-02-05 18:23 -0500 |
| Subject | Re: MySQLdb not allowing hyphen |
| Message-ID | <mailman.5461.1328484217.27778.python-list@python.org> |
On Mon, 6 Feb 2012 00:41:24 +0200, Emeka <emekamicro@gmail.com> wrote:
>Hello All,
>
>I noticed that MySQLdb not allowing hyphen may be way to prevent injection
>attack.
What hyphen?
>I have something like below:
>
>"insert into reviews(message, title)values('%s', '%s')" %( "We don't know
>where to go","We can't wait till morrow" )
>
<snip>
>How do I work around this error?
Very simple... DON'T QUOTE PLACEHOLDERS AND USE MySQLdb
parameterized queries.
csr.execute("insert into reviews (message, title) values (%s, %s)",
( "We don't know where to go",
"We can't wait till <sic> morrow" ) )
The whole purpose of parameterized queries is that the .execute()
logic will SAFELY wrap the supplied values with quotes AND escape any
problem characters within the value.
The reason you got an error was not a hyphen (there are no hyphens
in your example) but rather that you closed the quote. Your generated
SQL was:
insert into reviews (message, title) values ('We don't know where to
go', 'We can't wait till morrow')
which means a string of:
"We don"
SQL garbage
t know where to go
string
", "
SQL garbage
We can
and another string
"t wait till morrow"
--
Wulfraed Dennis Lee Bieber AF6VN
wlfraed@ix.netcom.com HTTP://wlfraed.home.netcom.com/
Back to top | Article view | comp.lang.python
csiph-web