> -----Original Message-----
> Subject: Re: [Tutor] Python CGI Script
>
> > query1 = """SELECT ABC FROM %s limit %s,%s"""\
> > % (self.tableid,self.rangeid1,self.rangeid2)
>
> Just as a note: please don't do this! *grin*
>
> Don't build query strings up like this: this is very prone to an SQL
> injection attack. See:
>
> http://mail.python.org/pipermail/tutor/2003-April/022010.html
>
> which talks about this a bit more.
> _______________________________________________
>
I just wanted to verify what I believe to be correct way of doing this.
sql_statement = "INSERT INTO images (image) VALUES (%s)"
cur.execute(sql_statement, (data_obj, ))
Is it just moving the variable substitution to the execute statement as
a tuple, so it will perform the proper quoting?
Thanks,
Mike
_______________________________________________
Tutor maillist - Tutor@python.org
http://mail.python.org/mailman/listinfo/tutor
