Thank you. That worked.
Victor
On Fri, Apr 18, 2008 at 10:48 AM, J. Cliff Dyer <[EMAIL PROTECTED]> wrote:
> There are several problems with your SQL, but not all of them would be
> caught by the computer. Your SELECT statement is not parameterized.
> This is a security problem. *Always* parameterize your variables. Your
> UPDATE statement has an extraneous comma at the end, and it also has
> quotes around the "%s"es that you don't need, because you already
> parameterized that query. Your dbapi interface will provide appropriate
> quoting for whatever type of data you pass it.
>
> Cheers,
> Cliff
>
>
> On Fri, 2008-04-18 at 10:13 -0500, Victor Subervi wrote:
> > Hi;
> > If I grab an image in the database thus:
> >
> > sql = "select pic1 from products where id='" + str(id) + "';"
> > cursor.execute(sql)
> > pic1 = cursor.fetchall()[0][0].tostring()
> > # pic1 = cursor.fetchall()[0][0] // either this or the above
> > line
> >
> > and try and re-insert it thus:
> >
> > cursor.execute('update products set pic1="%s" where id="%s", ;',
> > (pic1, id))
> >
> > it tells me I have an error in my MySQL syntax. What is the error?
> > TIA,
> > Victor
> --
> Oook,
> J. Cliff Dyer
> Carolina Digital Library and Archives
> UNC Chapel Hill
>
>
--
http://mail.python.org/mailman/listinfo/python-list
