On 13 kol, 22:09, Philip Semanchuk <phi...@semanchuk.com> wrote: > On Aug 13, 2009, at 2:56 PM, azrael wrote: > > >>>> j > > [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna'] > >>>> len(j) > > 5 > >>>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija, > >>>> d.id_drzava, v.id_valuta FROM ulica as u, opcina as o, zupanija > >>>> as z, drzava as d, valuta as v WHERE u.naziv = '%s' AND o.naziv > >>>> = '%s' AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv = > >>>> '%s'""" % (j) > > Traceback (most recent call last): > > File "<string>", line 1, in <string> > > TypeError: not enough arguments for format string > > Hi azrael, > You already have an answer to your question so I won't address that. I > want to point out that this is a dangerous way to build SQL statements. > > For instance, what happens if someone enters a city name of L'viv? > Your SQL will break due to mismatched single quotes. This kind of code > is vulnerable to SQL injection > attacks:http://en.wikipedia.org/wiki/SQL_injection > > Parameterized SQL is safer. Googling for 'parameterized SQL Python' > should find some examples for you. > > Good luck > Philip
I know Already. This is sopussed to be a small office application connecting on a LAN mysql server with no web connection. Thank you anyway -- http://mail.python.org/mailman/listinfo/python-list
