On Aug 13, 2009, at 2:56 PM, azrael wrote:
j
[u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna']
len(j)
5
h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija,
d.id_drzava, v.id_valuta FROM ulica as u, opcina as o, zupanija
as z, drzava as d, valuta as v WHERE u.naziv = '%s' AND o.naziv
= '%s' AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv =
'%s'""" % (j)
Traceback (most recent call last):
File "<string>", line 1, in <string>
TypeError: not enough arguments for format string
Hi azrael,
You already have an answer to your question so I won't address that. I
want to point out that this is a dangerous way to build SQL statements.
For instance, what happens if someone enters a city name of L'viv?
Your SQL will break due to mismatched single quotes. This kind of code
is vulnerable to SQL injection attacks:
http://en.wikipedia.org/wiki/SQL_injection
Parameterized SQL is safer. Googling for 'parameterized SQL Python'
should find some examples for you.
Good luck
Philip
--
http://mail.python.org/mailman/listinfo/python-list
