Menu
▾
▴
Re: [Pypgsql-users] Re: "create database" not allowed within transaction
|
From: Karsten H. <Kar...@gm...> - 2005-05-12 16:00:19
|
> sql ="""
> INSERT INTO trabajador
> VALUES("""+ ",".join(["'%s'" %(n1) for n1 in trabajador])+")"
> self.cursor.execute(sql)
Don't do that.
Do
sql = "... where ... = %s and ... = %s and ..."
self.cursor.execute(sql, trabadajor)
Otherwise people can run SQL injection attacks unless you are
*really* careful.
Karsten
--
GPG key ID E4071346 @ wwwkeys.pgp.net
E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
|
