Raja Raman wrote:
> Hi Gregarican,
> Thanks for sharing your code. One needs to add the % signs if one
> wants to do wildcard searches using LIKE in the SQL server.
> Do as Roger and Steve suggested '%raj%', now you can find the names
> containing the word raj anywhere in the column.
> just va
Raja Raman Sundararajan wrote:
[...]
> Any inputs to improve the IN statement logic?
> My dream is to use just one create parameter for the SQL list
> so that the query looks like
> query = "SELECT * FROM tb_name WHERE firstname IN ?"
> Nice and easy...
>
Some DBAPI modules will indeed allow y
Hi Gregarican,
Thanks for sharing your code. One needs to add the % signs if one
wants to do wildcard searches using LIKE in the SQL server.
Do as Roger and Steve suggested '%raj%', now you can find the names
containing the word raj anywhere in the column.
just value = 'raj' is only going to fe
The IN statement logic is a good mind exercise if there are multiple
parameters that needed to be brought in. Below is the code that fixed
the LIKE statement logic where you needed an ADO parameterized query
used. Apparently the percent signs don't have to be referenced anywhere
in the code, as my
Thanks. Please keep us posted. For some of my potentially exposed areas
I was just doing regex lookups against the input parameter to filter
out possible SQL injection keywords. Obviously not as elegant and
efficient as using ADO parameters to strictly define the data that
should be coming into the
Ok guys! The problem seems to be much easier to be solved than first
thought. -->Shoot<--
Using the correct CreateParameter statement seems to do the trick.
For example creating the parameter as
cmd.CreateParameter(name,const.adVarChar, const.adParamInput, Size=16,
Value=value[i])
This does not seem to work well Roger
>>> value = '%raj%'
>>> cmd.CommandText = "select * from table_name where firstname LIKE ?"
result is 0 where I expected 4
/Raja Raman
--
http://mail.python.org/mailman/listinfo/python-list
Hello Steve, Roger and Pete,
Nice to read your reply. Well, I can do an assert check for
integers and then filter out hazardous SQL injection characters for
varchars and do a direct substitution of the filtered values with the
SQL statement.
But by using ADO, input strings can be treated as wh
Well, the raw TSQL would be:
select * from tb_name where firstname like '%raj%'
I think that would more translate to:
name = "raj"
cmd.CommandText = "SELECT * FROM tb_name WHERE firstname like '%%%s%%'" % name
Perhaps issuing a print statement of the CommandText would help for future runs
to de
<[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
> Helo guys,
>I am trying to query the MSSQL DB using ADO.
> I am not able to make the LIKE statement fetch the correct results.
> Can anyone tell me what I need to do to get this working?
> Below is the code snippet:
>
>impor
Raja Raman Sundararajan wrote:
> Yes, the statement you tried is a valid statement
> also
>
name = "%'WAITFOR DELAY '00:00:03'--%"
"SELECT * FROM tb_name WHERE firstname LIKE '%s'" % name
>
> is also valid.
> My question is how to use the LIKE statements using ADO.in python
> :-|
>
Raja:
Hi Gregarican,
I am the original poster and yes this is a production code level
problem.
Do u have inputs for a solution?
/Raja Raman
--
http://mail.python.org/mailman/listinfo/python-list
Yes, the statement you tried is a valid statement
also
>>> name = "%'WAITFOR DELAY '00:00:03'--%"
>>> "SELECT * FROM tb_name WHERE firstname LIKE '%s'" % name
is also valid.
My question is how to use the LIKE statements using ADO.in python
:-|
--
http://mail.python.org/mailman/listinfo/python-lis
Steve Holden wrote:
> Now Google for "sql injection vulnerability" and tell us why this is a
> bad idea.
The original poster didn't specify if they were writing
production-level code on in Internet-facing server so I didn't exactly
infer a context. You are correct in your statement. I was just po
-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
n.org]On Behalf Of gregarican
Sent: Wednesday, January 18, 2006 11:34 AM
To: python-list@python.org
Subject: Re: MSSQL LIKE and IN statements in ADO problem
Can't you get rid of the Create Parameter part and directly pass along
the va
Yes, Steve you have a very good point.
Gregarcian, I am using the parameterized SQL to avoid such
vulunerability.
for example in your example use
name = "%'WAITFOR DELAY '00:00:03'--%"
and directly substitute it to the statement
"select * from table_name where name like '%s' " % (name)
The server w
gregarican wrote:
> Sorry forgot to explain that with the string substitution stuff you can
> escape the percent sign by doubling it up. In my example I wanted to
> retain the leading percent sign before the value, in this case I wanted
> LIKE %raj to appear. So I doubled it up. That's why there ar
Sorry forgot to explain that with the string substitution stuff you can
escape the percent sign by doubling it up. In my example I wanted to
retain the leading percent sign before the value, in this case I wanted
LIKE %raj to appear. So I doubled it up. That's why there are three
percent signs in a
Can't you get rid of the Create Parameter part and directly pass along
the value you are looking for? Something like...
name = 'raj'
cmd.CommandText= \
"SELECT * FROM tb_name WHERE firstname LIKE %%%s" % name
This way the value of the name variable gets passed along when the
CommandText m
Helo guys,
I am trying to query the MSSQL DB using ADO.
I am not able to make the LIKE statement fetch the correct results.
Can anyone tell me what I need to do to get this working?
Below is the code snippet:
import win32com.client
const = win32com.client.constants
#co
20 matches
Mail list logo
