Lenard Lindstrom wrote:
> >
> > I'm trying to build a SQL string
> >
> > sql = """INSERT INTO ag ('cid', 'ag', 'test') VALUES(%i, %s, %d)""",
> > (cid, ag, self.data[parent][child]['results']['test'])
>
> I am guessing you want the string formatting operator here:
>
> sql = """...""" % (cid, ...)That's a superficial solution which encourages a bad practice: if any of that data can be subverted to modify the query, as opposed to merely providing a simple value, then you have a vulnerability in your code. Perhaps the %i and %d substitutions may prevent such things, but the %s substitution won't. Paul -- http://mail.python.org/mailman/listinfo/python-list
