On Mon, 17 Jun 2013 22:30:57 +0300, Νίκος wrote: > On 17/6/2013 10:05 μμ, Alister wrote: >> You are correct Nicos, passing the values as a parameter list does >> protect you from SQL injection JT has made an error. > > Even if the query is somehting like: > > http://superhost.gr/cgi-bin/files.py?filename="Select....."; > > From what exactly the comma protects me for? > > What id=f the user passes data to filename variable throgh url? Will > comma understand that? > How can it tell form a normal filename opposes to a select statemnt > acting as a filename value?
this is because the execute method is written to escape the contents of the parameter list. if you want more information you really do need to read either the documentation or a good tutorial which would explain things far better than I can otherwise prove it to yourself by creating a dummy database & trying it Make sure you are NOT using your production database so you do not risk any real data -- Being a BALD HERO is almost as FESTIVE as a TATTOOED KNOCKWURST. -- http://mail.python.org/mailman/listinfo/python-list
