On Thu, Aug 13, 2009 at 4:09 PM, Philip Semanchuk <phi...@semanchuk.com>wrote:
> > On Aug 13, 2009, at 2:56 PM, azrael wrote: > > j >>>>> >>>> [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna'] >> >>> len(j) >>>>> >>>> 5 >> >>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija, >>>>> d.id_drzava, v.id_valuta FROM ulica as u, opcina as o, zupanija as z, >>>>> drzava as d, valuta as v WHERE u.naziv = '%s' AND o.naziv = '%s' AND >>>>> z.naziv = '%s' AND d.naziv = '%s' AND v.naziv = '%s'""" % (j) >>>>> >>>> Traceback (most recent call last): >> File "<string>", line 1, in <string> >> TypeError: not enough arguments for format string >> > > Hi azrael, > You already have an answer to your question so I won't address that. I want > to point out that this is a dangerous way to build SQL statements. > > For instance, what happens if someone enters a city name of L'viv? Your > SQL will break due to mismatched single quotes. This kind of code is > vulnerable to SQL injection attacks: > http://en.wikipedia.org/wiki/SQL_injection > No explanation of SQL injection is complete without a link to the relevant XKCD. http://xkcd.com/327/ > > Parameterized SQL is safer. Googling for 'parameterized SQL Python' should > find some examples for you. > > Good luck > Philip > -- > http://mail.python.org/mailman/listinfo/python-list >
-- http://mail.python.org/mailman/listinfo/python-list
