MySQLdb not allowing hyphen
John Nagle
nagle at animats.com
Wed Feb 8 14:41:44 EST 2012
More information about the Python-list mailing list
Wed Feb 8 14:41:44 EST 2012
- Previous message (by thread): MySQLdb not allowing hyphen
- Next message (by thread): Python and TAP
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 2/5/2012 2:46 PM, Chris Rebert wrote: > On Sun, Feb 5, 2012 at 2:41 PM, Emeka<emekamicro at gmail.com> wrote: >> >> Hello All, >> >> I noticed that MySQLdb not allowing hyphen may be way to prevent injection >> attack. >> I have something like below: >> >> "insert into reviews(message, title)values('%s', '%s')" %( "We don't know >> where to go","We can't wait till morrow" ) >> >> ProgrammingError(1064, "You have an error in your SQL syntax; check the >> manual that corresponds to your MySQL server version for the right syntax to >> use near 't know where to go. >> >> How do I work around this error? > > Don't use raw SQL strings in the first place. Use a proper > parameterized query, e.g.: > > cursor.execute("insert into reviews(message, title) values (%s, %s)", > ("We don't know where to go", "We can't wait till morrow")) Yes. You are doing it wrong. Do NOT use the "%" operator when putting SQL queries together. Let "cursor.execute" fill them in. It knows how to escape special characters in the input fields, which will fix your bug and prevent SQL injection. John Nagle
- Previous message (by thread): MySQLdb not allowing hyphen
- Next message (by thread): Python and TAP
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list