On Thu, 2006-10-12 at 14:46 -0700, johnf wrote:
> On Thursday 12 October 2006 07:14, Jason Massey wrote:
> > On 10/12/06, johnf <[EMAIL PROTECTED]> wrote:
> > > On Thursday 12 October 2006 00:31, Alan Gauld wrote:
> > > > > query = "SELECT * FROM DB WHERE NAME = %s" % (name)
> > > > > cursor.execut
On Thursday 12 October 2006 07:14, Jason Massey wrote:
> On 10/12/06, johnf <[EMAIL PROTECTED]> wrote:
> > On Thursday 12 October 2006 00:31, Alan Gauld wrote:
> > > > query = "SELECT * FROM DB WHERE NAME = %s" % (name)
> > > > cursor.execute(query)
> > >
> > > There can be security issues with thi
On Thu, 2006-10-12 at 06:19 -0700, johnf wrote:
> On Thursday 12 October 2006 00:31, Alan Gauld wrote:
> > > query = "SELECT * FROM DB WHERE NAME = %s" % (name)
> > > cursor.execute(query)
> >
> > There can be security issues with this style, especially
> > if the parameters can be modified by user
On 10/12/06, johnf <[EMAIL PROTECTED]> wrote:
On Thursday 12 October 2006 00:31, Alan Gauld wrote:> > query = "SELECT * FROM DB WHERE NAME = %s" % (name)> > cursor.execute(query)>> There can be security issues with this style, especially
> if the parameters can be modified by users - for example> y
On Thursday 12 October 2006 00:31, Alan Gauld wrote:
> > query = "SELECT * FROM DB WHERE NAME = %s" % (name)
> > cursor.execute(query)
>
> There can be security issues with this style, especially
> if the parameters can be modified by users - for example
> you read the values from a web page.
>
>
> query = "SELECT * FROM DB WHERE NAME = %s" % (name)
> cursor.execute(query)
There can be security issues with this style, especially
if the parameters can be modified by users - for example
you read the values from a web page.
The cursor.execute() call has the ability to pass the parameters
i m running a mysql database, i create the connections and such using MySQLdb.
someone told me that queries like
query = "SELECT * FROM DB WHERE NAME = %s" % (name)
cursor.execute(query)
thats the syntax that i use, but someone told me not to use it, i m new to the db accessing thing, so if
