FAQ

On Wed, 2004-11-24 at 02:16 +0100, Pete..... wrote:
Hi I got that error debugged but, now there is a new one:
12 cur.execute('''INSERT INTO persons (persons.name,
persons.surname, persons.username, persons.password) VALUES %s,%s, %s, %s
''' %(form['name'].value, form['surname'].value, form['username'].value,
form['password'].value))
That syntax doesn't look right. I think you were closer with your
previous attempt. This is slightly more correct

cur.execute('''INSERT INTO persons (name, surname, username, password)
VALUES('%s','%s', '%s', '%s')''' % (form[name].value,
form[surname].value, form[username].value, form[password].value))

(Note the single quotes around the %s)

The real problem with this code is that you are letting the user of your
website inject whatever SQL they want directly into your command. I am
not sure if this works for pypgsql, but with psycopg the safe way to do
this is

insert_command = '''
INSERT INTO persons (name, surname, username, password)
VALUES(%s, %s, %s, %s)
'''
cur.execute(insert_command,
(form[name].value, form[surname].value, \
form[username].value, form[password].value))

I believe this works with other DB API 2.0 compatible modules. This lets
the database module worry about whether "jim's house" needs to be turned
into "jim\\'s house" or "'jim\\'s house'"

HTH

-Mark

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 12 of 13 | next ›
Discussion Overview
grouppython-list @
categoriespython
postedNov 23, '04 at 4:52p
activeNov 24, '04 at 1:30p
posts13
users5
websitepython.org

People

Translate

site design / logo © 2022 Grokbase