On Aug 13, 2009, at 6:00 PM, azrael wrote:
On 13 kol, 22:09, Philip Semanchuk <phi...@semanchuk.com> wrote:
On Aug 13, 2009, at 2:56 PM, azrael wrote:
j
[u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna']
len(j)
5
h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija,
d.id_drzava, v.id_valuta FROM ulica as u, opcina as o, zupanija
as z, drzava as d, valuta as v WHERE u.naziv = '%s' AND o.naziv
= '%s' AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv =
'%s'""" % (j)
Traceback (most recent call last):
File "<string>", line 1, in <string>
TypeError: not enough arguments for format string
Hi azrael,
You already have an answer to your question so I won't address
that. I
want to point out that this is a dangerous way to build SQL
statements.
For instance, what happens if someone enters a city name of L'viv?
Your SQL will break due to mismatched single quotes. This kind of
code
is vulnerable to SQL injection
attacks:http://en.wikipedia.org/wiki/SQL_injection
Parameterized SQL is safer. Googling for 'parameterized SQL Python'
should find some examples for you.
Good luck
Philip
I know Already. This is sopussed to be a small office application
connecting on a LAN mysql server with no web connection. Thank you
anyway
You're welcome. I'm glad you are aware. You're ahead of a lot of
developers out there.
I encourage you to at least think about using parameterized SQL anyway
because you never know when someone (maybe even you!) will copy &
paste your code, or use your library without realizing that it was
"internal use only". It's usually just as easy as building SQL strings
anyway.
And besides, what about L'viv? =)
Good luck with whatever choice you make
Philip
--
http://mail.python.org/mailman/listinfo/python-list
