>> query = '''UPDATE cost_grid >> SET cost_1 = %s >> WHERE cost_grid_id = %s >> AND finish_dro = %s'''' % ( a,c,b) >> c.execute(query) > > Yikes! Alan! Certainly you know what an SQL injection attack is? And what > if the data contains special characters? > > For those who don't know, imagine what happens in the above if > b = '91.4; drop table cost_grid;'
Yes that's true and a very good point, you do need to do some validation if the inputs are coming from, for example a web site. Creating the string yourself means taking responsibility for checking the parameters. If thats an issue execute() is probably a better bet, in my work thats never an issue since the data normally comes to me well formatted. Alan G _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor
