Dennis , Chris
Thanks so much!
On Mon, Feb 6, 2012 at 1:23 AM, Dennis Lee Bieber <wlfr...@ix.netcom.com>wrote:
> On Mon, 6 Feb 2012 00:41:24 +0200, Emeka <emekami...@gmail.com> wrote:
>
> >Hello All,
> >
> >I noticed that MySQLdb not allowing hyphen may be way to prevent injection
> >attack.
>
> What hyphen?
>
> >I have something like below:
> >
> >"insert into reviews(message, title)values('%s', '%s')" %( "We don't know
> >where to go","We can't wait till morrow" )
> >
> <snip>
> >How do I work around this error?
>
> Very simple... DON'T QUOTE PLACEHOLDERS AND USE MySQLdb
> parameterized queries.
>
> csr.execute("insert into reviews (message, title) values (%s, %s)",
> ( "We don't know where to go",
> "We can't wait till <sic> morrow" ) )
>
> The whole purpose of parameterized queries is that the .execute()
> logic will SAFELY wrap the supplied values with quotes AND escape any
> problem characters within the value.
>
> The reason you got an error was not a hyphen (there are no hyphens
> in your example) but rather that you closed the quote. Your generated
> SQL was:
>
> insert into reviews (message, title) values ('We don't know where to
> go', 'We can't wait till morrow')
>
> which means a string of:
> "We don"
> SQL garbage
> t know where to go
> string
> ", "
> SQL garbage
> We can
> and another string
> "t wait till morrow"
> --
> Wulfraed Dennis Lee Bieber AF6VN
> wlfr...@ix.netcom.com HTTP://wlfraed.home.netcom.com/
>
> --
> http://mail.python.org/mailman/listinfo/python-list
>
--
*Satajanus Nig. Ltd
*
--
http://mail.python.org/mailman/listinfo/python-list
