|
Nick
nick at dd.revealed.net
Mon Jan 9 11:50:27 EST 2006
cx_Oracle uses the :arg notation.
Nick
Jorey Bump wrote:
> Daniel Nogradi wrote:
>
>> Inserting variables of type string into other strings goes like this:
>>
>> name = "John"
>> formatted_string = "your name is: %s" % name
>>
>> or with more variables:
>>
>> name = "John"
>> age = "13"
>> formatted_string = "your name is: %s and your age is: %s" % ( name, age )
>>
>> Thus you should have:
>>
>> cursor.execute("INSERT INTO PERSONALDETAILS
>> (firstname,middlename,lastname) VALUES (%s, %s, %s)" %
>> (fname,mname,lname) )
>>
>> Note the % sign.
>
>
> As a safeguard against SQL injection, data should always be inserted
> into a database using placeholders, especially if supplied by users (or
> any external interface, no matter how authoritative). This is typically
> in the form cursor.execute(querystring, tuple):
>
> querystring = "INSERT INTO user (fname, lname) VALUES (%s, %s)"
> values = (firstname, lastname)
> cursor.execute(querystring, values)
>
> Using simple python string substitution is quite dangerous in web forms.
> Placeholders allow the database to do the work of escaping values safely.
>
>
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
|