Diez B. Roggisch wrote:
> "Select * from table where name like '%s%%'" %
> "José".decode("latin-1").encode("utf-8")Ouch! Please use parameter passing instead of building full SQL statements with embedded parameter values. You're opening up for SQL injection attacks if you allow user provided input in SQL code. Imagine that instead of "José", you had gotten "';DELETE FROM TABLE;SELECT * FROM TABLE WHERE NAME LIKE='" -- http://mail.python.org/mailman/listinfo/python-list
