On 2/5/2012 2:46 PM, Chris Rebert wrote:
On Sun, Feb 5, 2012 at 2:41 PM, Emeka<emekami...@gmail.com> wrote:
Hello All,
I noticed that MySQLdb not allowing hyphen may be way to prevent injection
attack.
I have something like below:
"insert into reviews(message, title)values('%s', '%s')" %( "We don't know
where to go","We can't wait till morrow" )
ProgrammingError(1064, "You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right syntax to
use near 't know where to go.
How do I work around this error?
Don't use raw SQL strings in the first place. Use a proper
parameterized query, e.g.:
cursor.execute("insert into reviews(message, title) values (%s, %s)",
("We don't know where to go", "We can't wait till morrow"))
Yes. You are doing it wrong. Do NOT use the "%" operator when
putting SQL queries together. Let "cursor.execute" fill them
in. It knows how to escape special characters in the input fields,
which will fix your bug and prevent SQL injection.
John Nagle
--
http://mail.python.org/mailman/listinfo/python-list
