On Sun, Feb 5, 2012 at 2:41 PM, Emeka <emekami...@gmail.com> wrote:
>
> Hello All,
>
> I noticed that MySQLdb not allowing hyphen may be way to prevent injection
> attack.
> I have something like below:
>
> "insert into reviews(message, title)values('%s', '%s')" %( "We don't know
> where to go","We can't wait till morrow" )
>
> ProgrammingError(1064, "You have an error in your SQL syntax; check the
> manual that corresponds to your MySQL server version for the right syntax to
> use near 't know where to go.
>
> How do I work around this error?
Don't use raw SQL strings in the first place. Use a proper
parameterized query, e.g.:
cursor.execute("insert into reviews(message, title) values (%s, %s)",
("We don't know where to go", "We can't wait till morrow"))
Cheers,
Chris
--
http://mail.python.org/mailman/listinfo/python-list
