Dennis Lee Bieber wrote:
> On Sat, 19 Apr 2008 03:46:54 +0200, Karl-Heinz Ruskowski
> <[EMAIL PROTECTED]> declaimed the following in comp.lang.python:
>
>> Hi,
>>
>>> cursor.execute('update products set pic1="%s" where id="%s", ;',
>>> (pic1, id))
>> Shouldn't it be something like
>> curso
Hi,
> cursor.execute('update products set pic1="%s" where id="%s", ;',
> (pic1, id))
Shouldn't it be something like
cursor.execute('update products set pic1="%s" where id="%s", ;' % (pic1, id))
--
GPG key: 0x04B3BB96
pgpiL4LACYHv7.pgp
Description: PGP signature
--
http://mail.python.
Thank you. That worked.
Victor
On Fri, Apr 18, 2008 at 10:48 AM, J. Cliff Dyer <[EMAIL PROTECTED]> wrote:
> There are several problems with your SQL, but not all of them would be
> caught by the computer. Your SELECT statement is not parameterized.
> This is a security problem. *Always* paramet
There are several problems with your SQL, but not all of them would be
caught by the computer. Your SELECT statement is not parameterized.
This is a security problem. *Always* parameterize your variables. Your
UPDATE statement has an extraneous comma at the end, and it also has
quotes around the
