Kun <[EMAIL PROTECTED]> writes:
[...]
> mysqlstatement = "INSERT INTO dir (date, purchasetype, price, comment) 
> VALUES ('"+ date +"','"+ purchasetype +"','"+ price +"','"+ comment +"' )"
[...]

Haven't read your post carefully, but the first thing that jumps out
at me is that you should be using SQL parameter interpolation, not
Python string formatting.

sql = ("INSERT INTO dir (date, purchasetype, price, comment) "
       "VALUES (%s, %s, %s, %s)")
cursor.execute(sql, (date, purchasetype, price, comment))


Google for "SQL injection" to see why this is a nasty security issue,
not just a matter of practical coding convenience.


John

-- 
http://mail.python.org/mailman/listinfo/python-list

Reply via email to