On Sun, 06 Nov 2005 23:29:01 -0000, Jim Segrave wrote > In article <[EMAIL PROTECTED]>, > Little <[EMAIL PROTECTED]> wrote: > > cursor.execute( > > """INSERT INTO InventoryList (artist, title, rating) VALUES (%s, > >%s, %s)""", (z_Name, z_rating, z_price) ) > > I hate to ask, but what happens when I enter "a, b, c);DROP > DATABASE;" as the entry for z_name? (Or some similar attempt to > close the SQL statement and start a new one). I think you want to > google for "SQL injection" and think about sanitising user input a bit.
The OP is using execute() with a parameter tuple. This is the correct method for executing a parametrized query, and it is immune to SQL injection as long as the DB module implements parameter substitution in a sane way. Best regards, Carsten Haese. -- http://mail.python.org/mailman/listinfo/python-list
