Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > passing artibrary strings into a database

Reply
Thread Tools

passing artibrary strings into a database

 
 
schwehr@gmail.com
Guest
Posts: n/a
 
      11-27-2005
Hi All,

I was wondering if there is a helper library out there that will nicely
encode artibrary text so that I can put in into a TEXT field in a
database and then retrieve it without getting into trouble with ',",new
lines or other such things that would foul the sql insert call and or
be a security hazard? This feels like a newbee type question, but I
haven't found anything with a quick search.

Thanks,
-kurt

 
Reply With Quote
 
 
 
 
Fredrik Lundh
Guest
Posts: n/a
 
      11-27-2005
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:

> I was wondering if there is a helper library out there that will nicely
> encode artibrary text so that I can put in into a TEXT field in a
> database and then retrieve it without getting into trouble with ',",new
> lines or other such things that would foul the sql insert call and or
> be a security hazard?


don't ever use string formatting to add values to an SQL statement.
the right way to pass variables to the database engine is to use para-
meters (aka bound variables):

cursor.execute(
"insert into table (col1, col2) values ?, ?",
value1, value2
)

the exact marker depends on the database; use the paramstyle attribute
to figure out what's the right parameter marker to use for your database.
see the DB-API 2 spec for more information:

http://www.python.org/peps/pep-0249.html

</F>



 
Reply With Quote
 
 
 
 
Diez B. Roggisch
Guest
Posts: n/a
 
      11-27-2005
(E-Mail Removed) wrote:
> Hi All,
>
> I was wondering if there is a helper library out there that will nicely
> encode artibrary text so that I can put in into a TEXT field in a
> database and then retrieve it without getting into trouble with ',",new
> lines or other such things that would foul the sql insert call and or
> be a security hazard? This feels like a newbee type question, but I
> haven't found anything with a quick search.


Use paramtetrized cursor.execute(..) That is instead of doing

c.execute("insert into foo values ('%s')" % mytext)

do

c.execute("insert into foo values (?)", mytext)

Attention, the actual style of a parameter is dependand on your
database, e.g. oracle uses a differnet one:

c.execute("insert into foo values (:mytext)", dict(mytext=mytext))


The actual style to use is given in the docs, or can be queried with

connection.paramstyle

I recommend reading the DB-API 2.0 specs.

Diez
 
Reply With Quote
 
schwehr@gmail.com
Guest
Posts: n/a
 
      11-27-2005
Thanks! Looks like I need to get a newer version of pysqlite into the
fink package tree since pysqlite 1.0.1 does not appear support that

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Database Database Database Database scott93727@gmail.com Computer Information 0 09-27-2012 02:43 AM
DataBase DataBase DataBase DataBase scott93727@gmail.com Computer Information 0 09-26-2012 09:40 AM
Strings, Strings and Damned Strings Ben C Programming 14 06-24-2006 05:09 AM
RAILS: edit turns null strings into empty strings Wybo Dekker Ruby 1 07-23-2005 05:30 PM
Passing database info to page allow user input then pass into another database Renie83 ASP General 2 07-14-2003 05:30 PM



Advertisments