In article <[EMAIL PROTECTED]>, Little <[EMAIL PROTECTED]> wrote: >I have created the following database but the following errors occur >when trying to execute the code. > >html source: ><html> ><body> > Click here to display information from Chocolate menu: ><form action ="form.py/display" method="POST"> > <p> > Press to view the display > <input type="submit"> > </p> ></form> ><br> > Please provide data for chocolate to be added: ><p> ><form action ="form.py/addchocolate" method="POST"> > <p> > Name: <input type="text" name="z_Name" maxlength="30"><br> > Rating: <input type="text" name="z_rating" maxlength="3"><br> > Price : <input type="text" name="z_price" maxlength="5"><br> > <input type="submit"> > </p> ></form> ></body> ></html> > >form.py source > >import MySQLdb > >def addchocolate(z_Name, z_rating, z_price): > > # make sure the user provided all the parameters > if not (z_Name and z_rating and z_price): > return "A required parameter is missing, \ > please go back and correct the error" > db = >MySQLdb.connect(host="localhost",user="hayward",passwd="hayward",db="hayward") > cursor = db.cursor() > cursor.execute( > """INSERT INTO InventoryList (artist, title, rating) VALUES (%s, >%s, %s)""", (z_Name, z_rating, z_price) )
I hate to ask, but what happens when I enter "a, b, c);DROP DATABASE;" as the entry for z_name? (Or some similar attempt to close the SQL statement and start a new one). I think you want to google for "SQL injection" and think about sanitising user input a bit. -- Jim Segrave ([EMAIL PROTECTED]) -- http://mail.python.org/mailman/listinfo/python-list
