Re: [Tutor] Didn't take long to hit my next wall!

2006-04-17 Thread Alan Gauld
>> query = '''UPDATE cost_grid >>SET cost_1 = %s >>WHERE cost_grid_id = %s >>AND finish_dro = %s % ( a,c,b) >> c.execute(query) > > Yikes! Alan! Certainly you know what an SQL injection attack is? And what > if the data contains special characte

Re: [Tutor] Didn't take long to hit my next wall!

2006-04-16 Thread Brian Gustin
Interesting.. I'll have to dig out my unit test scripts that I wrote to test the situation to my satisfaction... The way I had it , I wrote the query exactly as was done in this case, but I wrote it directly in the cursor.execute() function as in: cursor.execute('''insert into tablea (id,name,nu

Re: [Tutor] Didn't take long to hit my next wall!

2006-04-16 Thread Kent Johnson
Brian Gustin wrote: > python in this form uses BIND variables.. > >>query = '''UPDATE cost_grid > >> SET cost_1 = %s <--- %s = the bind variable > placeholder/formatter > >> WHERE cost_grid_id = %s > >> AND finish_dro = %s % ( a,c,b) <--- the raw

Re: [Tutor] Didn't take long to hit my next wall!

2006-04-16 Thread Brian Gustin
python in this form uses BIND variables.. >>query = '''UPDATE cost_grid >> SET cost_1 = %s <--- %s = the bind variable placeholder/formatter >> WHERE cost_grid_id = %s >> AND finish_dro = %s % ( a,c,b) <--- the raw tuple That is, what is provi

Re: [Tutor] Didn't take long to hit my next wall!

2006-04-16 Thread Kent Johnson
Alan Gauld wrote: > Hi John, > > I've no idea why its not working but this illustrates why I prefer to create > the sql string outside the execute - its a lot easier to debug when you can > print the string exactly as passed to execute. I know many others like to > leave execute to do the escaping

Re: [Tutor] Didn't take long to hit my next wall!

2006-04-15 Thread Alan Gauld
hat helps but its my experience FWIW, Alan G. - Original Message - From: "John CORRY" <[EMAIL PROTECTED]> To: Sent: Saturday, April 15, 2006 10:26 PM Subject: [Tutor] Didn't take long to hit my next wall! > Hi, > > I am having problems amending records in my d

Re: [Tutor] Didn't take long to hit my next wall!

2006-04-15 Thread Danny Yoo
> I am having problems amending records in my database. Hi John, The root of this problem is a matter of choosing variable names that are way too terse. In particular, note that you're using the variable 'c' as: c = 'PF1' but at the same time, you're also using: c = db.cursor()

[Tutor] Didn't take long to hit my next wall!

2006-04-15 Thread John CORRY
Hi,   I am having problems amending records in my database.   If I use the following code my database is updated fine.   c = '"PF1"' b = 91.4 a = 85.00 import mx.ODBC import mx.ODBC.Windows db = mx.ODBC.Windows.DriverConnect('DSN=vfp') c = db.cursor() c.execute('UPDATE cost_gri