On Jun 23, 2010, at 9:12 AM, Paul Rubin <no.em...@nospam.invalid> wrote:
Stephen Hansen <me+list/pyt...@ixokai.io> writes:
On 6/23/10 6:45 AM, Victor Subervi wrote:
cursor.execute('select clientEmail from clients where client=%s', ...
Do, 'client.replace("_", " ")' instead.
Er, look what happened to Little Bobby Tables (a quick web search on his
name should find his story) because someone wrote code like that.
Really, write the code a different way, with a prepared query.
I think you misread. He is using parameterized queries-- just
incorrectly, as addressed later that you didn't quote. He isn't using
string formatting to generate the SQL. The mysql layer just uses %s as
a marker.
The line you did quote was just about using string methods for the
data to pass into the parameterized query-- not for SQL purposes but
just because the data in the table apparently has spaces and the data
in this part of his app has underscores. For some reason.
--Stephen
--
http://mail.python.org/mailman/listinfo/python-list
