Re: [Tutor] ODBC SQL Server Question

2009-09-23 Thread Kristina Ambert
Hi, Thanks you guys for the replies and thanks Kent for the explanation, and yes, this: self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name, )) using the comma did make it work. On Fri, Sep 18, 2009 at 3:40 PM, Jeff Johnson wrote: > Thanks for the clarification Kent! > > > Ke

Re: [Tutor] ODBC SQL Server Question

2009-09-18 Thread Jeff Johnson
Thanks for the clarification Kent! Kent Johnson wrote: On Fri, Sep 18, 2009 at 2:14 PM, Jeff Johnson wrote: Kent: How about this: self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME = '%s'" % (name, )) No, that has the same result as your original. For example, In [3]: name = "Kent';

Re: [Tutor] ODBC SQL Server Question

2009-09-18 Thread Kent Johnson
On Fri, Sep 18, 2009 at 2:14 PM, Jeff Johnson wrote: > Kent: > > How about this: > self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME = '%s'" % (name, > )) No, that has the same result as your original. For example, In [3]: name = "Kent'; drop table Stories;--" In [4]: "SELECT CUSTID FRO

Re: [Tutor] ODBC SQL Server Question

2009-09-18 Thread Jeff Johnson
Kent: How about this: self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME = '%s'" % (name, )) Question, does execute know to substitute the question mark with name? self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME= ?", (name, )) TIA Kent Johnson wrote: On Fri, Sep 18, 2009

Re: [Tutor] ODBC SQL Server Question

2009-09-18 Thread Kent Johnson
On Fri, Sep 18, 2009 at 11:49 AM, Jeff Johnson wrote: > Kristina: > > I would format it as follows: > > self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME = '%s'" % name) No, that is a recipe for SQL injection attacks such as this: http://xkcd.com/327/ >> self.cursor.execute("SELECT CUST

Re: [Tutor] ODBC SQL Server Question

2009-09-18 Thread Jeff Johnson
Kristina: I would format it as follows: self.cursor.execute("SELECT CUSTID FROM Stories WHERE NAME = '%s'" % name) Kristina Ambert wrote: Hi, Is anyone familiar with this error: dbi.internal-error: [Microsoft][SQL Server Driver]Invalid cursor state in EXEC This error is triggered by the firs

[Tutor] ODBC SQL Server Question

2009-09-18 Thread Kristina Ambert
Hi, Is anyone familiar with this error: dbi.internal-error: [Microsoft][SQL Server Driver]Invalid cursor state in EXEC This error is triggered by the first sql statement call in an accessor module which purpose is only to get data from a source module and feed it into a database: self.cursor.execu