Liam Clarke wrote:
Hi,
Well thanks Kent, after a bit of puzzlement I feel like I'm getting it.
Pysqlite takes care of correct quotation marks for me, but it's only
good for parameters.
Right, you still hard-code the rest of the query.
so to generate 'select * from foo if A = "Bat"' I can hand cx
Hi,
Well thanks Kent, after a bit of puzzlement I feel like I'm getting it.
Pysqlite takes care of correct quotation marks for me, but it's only
good for parameters.
so to generate 'select * from foo if A = "Bat"' I can hand cx.execute
'Bat', but I still have to
insert A.
So, my select statem
A light dawns, and I now understand how SQL code injection attacks can happen.
Looks like I'm going to have to rethink & re-examine some docs
Cheers,
Liam
On Fri, 25 Feb 2005 06:15:05 -0500, Kent Johnson <[EMAIL PROTECTED]> wrote:
> Liam Clarke wrote:
> > Hi,
> >
> > Hope I don't annoy an
Liam Clarke wrote:
Hi,
Hope I don't annoy anyone by asking this here, if I do, let me know.
When you're doing a SQL select statement, what would be better? Say
you're searching by name, should I do -
j = cx.execute
j('select * from foo where first == %s and last == %s') % (a,b)
q = cx.fetchall(
Hi,
Hope I don't annoy anyone by asking this here, if I do, let me know.
When you're doing a SQL select statement, what would be better? Say
you're searching by name, should I do -
j = cx.execute
j('select * from foo where first == %s and last == %s') % (a,b)
q = cx.fetchall()
if not q:
j(
