nlv11281 at natlab.research.philips.com
Fri Jan 27 02:09:10 EST 2006
> BTW, if the substring you want to search for is coming from a web page or other > user input this could be dangerous. For example, they could include a single quote > in the substring for searching and stuff it all up. Thus, you need to perform > appropriate escaping to avoid such problems. I always take the approach that no matter how smart I am in escaping the user's gibberish, there will always be someone smarter than me who figures out how to break it. So what I do in cases like you describe: paramlist = ('%' + company + '%',) cursor.execute("SELECT * FROM company WHERE name LIKE %s", paramlist) (note that there are no quotes...) Passing user input as query parameters is, as far as I am concerned, the _only_ safe way of passing user input to the database engine. Even if you have a 'perfect' escaping function, one day they'll take your code and run it on an other DBMS on which the escape function is broken. I typically instruct users to use the more obvious "*" and "?" wildcards, and replace them as needed (for simplicity, I omit escaping the % and _ characters in the user's input): if ("*" in company) or ("?" in company): company = company.replace("*", "%").replace("?", "_") else: company = company + "%" -- Mike.