Kun <[EMAIL PROTECTED]> writes:
[...]
> mysqlstatement = "INSERT INTO dir (date, purchasetype, price, comment)
> VALUES ('"+ date +"','"+ purchasetype +"','"+ price +"','"+ comment +"' )"
[...]
Haven't read your post carefully, but the first thing that jumps out
at me is that you should be using SQL parameter interpolation, not
Python string formatting.
sql = ("INSERT INTO dir (date, purchasetype, price, comment) "
"VALUES (%s, %s, %s, %s)")
cursor.execute(sql, (date, purchasetype, price, comment))
Google for "SQL injection" to see why this is a nasty security issue,
not just a matter of practical coding convenience.
John
--
http://mail.python.org/mailman/listinfo/python-list
