AJ wrote:
[...]
> sql = """
> SELECT MAX(`table`.`id`)
> FROM `table`
> WHERE `table`.`name` LIKE '%(kw)s'
> GROUP BY `table`.`original_id`;"""
>
> sql = sql % {'kw' : '%%' + query + '%%'}
> cursor.execute(sql)
[...]
This is the wrong way to do this, and your problem explains why.
Take a look at [1] ; you were right, the db module handles those things for you.
Typically, you use "%s" in your query where you want to put an external value,
you give a list of
values to the "execute" method and the database's backend will correctly handle
the value's
quotation for you.
In addition to protect you from SQL injections, it will give you more
portability between different
databases (since they don't handle quotations the same way).
- Jonathan
[1] : http://www.djangoproject.com/documentation/model-api/#executing-custom-sql
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
