On Mon, 17 Jun 2013 21:06:16 +0300, Νίκος wrote:
>
> But the comma inside the execute statement doesn't protect me from such
> actions opposed when i was using a substitute operator?
You are correct Nicos, passing the values as a parameter list does
protect you from SQL injection JT has made an error.
>
>> I would guess because you forgot the uotes around string values in your
>> SQL statement which thus wasn't executed.
>
> i tried you suggestions:
>
> cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit =
> %s WHERE url = "%s"''', (host, lastvisit, filename) )
>
> seems the same as:
>
> cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit =
> %s WHERE url = %s''', (host, lastvisit, filename) )
>
> since everything is tripled quoted already what would the difference be
> in "%s" opposed to plain %s ?
As already noted JT made an error in assuming you were using string
substitution & not passing parameters the quotes are not required & will
case errors.
as to your problem you have already been advised that update does not
generate any returned data.
to see the data you need to issue a select.
to make debugging easier I suggest you need to use an easier way to see
what is happening in the database
assuming you are using mysql then phpmyadmin may help
also as i have previously suggested it would be wise to keep this system
off the internet untill you are satisfied it is working correctly &
secure.
--
If God had really intended men to fly, he'd make it easier to get to the
airport.
-- George Winters
--
http://mail.python.org/mailman/listinfo/python-list
