Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #75930

Re: Newbie needing some help

Show all headers | View raw

On Sat, Aug 9, 2014 at 12:51 PM, John Gordon <gordon@panix.com> wrote:
> You probably meant something like this instead:
>
>     sql = "DELETE FROM tblc_users WHERE user_email=%s" % line
>
> This will substitute the value of line for the %s.
>
> However, most (all?) SQL databases require string values to be enclosed
> in single quotes, and your databse likely defines user_email as a string
> value.  So you probably actually want something like this:
>
>     sql = "DELETE FROM tblc_users WHERE user_email='%s'" % line
>
> And even this solution isn't very good, because it allows SQL injection
> attacks if your text file contains something nasty.  If this is anything
> other than a toy program, please take the time to look up prepared
> statements.

All SQL databases require strings to be quoted (it's part of the SQL
spec), although some broken database engines (which I shall not name)
do allow other forms of quote than the apostrophe. But I would advise
against even suggesting the interpolation method; there's absolutely
no reason ever to do this sort of thing - it's just way too fragile.
(Even if you think you can get it perfectly right now, do you really
want to inflict the headache on the code's next maintainer?)
Parameterized queries are a part of the Python database API, so go
ahead and use them.

ChrisA

Back to comp.lang.python | Previous | Next — Previous in thread | Find similar | Unroll thread

Thread

Newbie needing some help Matt Smith <smithmm@tblc.org> - 2014-08-08 15:07 -0400
  Re: Newbie needing some help John Gordon <gordon@panix.com> - 2014-08-09 02:51 +0000
    Re: Newbie needing some help Chris Angelico <rosuav@gmail.com> - 2014-08-09 13:03 +1000

csiph-web