Re: Problem with MySQL cursor
- From: Florian Lindner <Florian.Lindner@xxxxxx>
- Date: Fri, 12 Oct 2007 13:12:54 +0200
Carsten Haese wrote:
On Thu, 2007-10-11 at 15:14 +0200, Florian Lindner wrote:
Hello,
I have a function that executes a SQL statement with MySQLdb:
def executeSQL(sql, *args):
print sql % args
cursor = conn.cursor()
cursor.execute(sql, args)
cursor.close()
it's called like that:
sql = "INSERT INTO %s (%s) VALUES (%s)"
executeSQL(sql, DOMAIN_TABLE, DOMAIN_FIELD, domainname)
You can't use parameter binding to substitute table names and column
names, or any other syntax element, into a query. You can only bind
parameters in places where a literal value would be allowed (more or
less, the real rules are more complicated, but this rule of thumb gets
you close enough). You have to construct the query string like this, for
example:
sql = "INSERT INTO "+DOMAIN_TABLE+"("+DOMAIN_FIELD+") VALUES (%s)"
executeSQL(sql, domainname)
Ok, I understand it and now it works, but why is limitation? Why can't I
just the string interpolation in any playes and the cursor function escapes
any strings so that they can't do harm to my query?
Regards,
Florian
.
- Follow-Ups:
- Re: Problem with MySQL cursor
- From: Carsten Haese
- Re: Problem with MySQL cursor
- From: Diez B. Roggisch
- Re: Problem with MySQL cursor
- References:
- Problem with MySQL cursor
- From: Florian Lindner
- Re: Problem with MySQL cursor
- From: Carsten Haese
- Problem with MySQL cursor
- Prev by Date: Re: EasyMock for python ?
- Next by Date: RE: Last iteration?
- Previous by thread: Re: Problem with MySQL cursor
- Next by thread: Re: Problem with MySQL cursor
- Index(es):
Relevant Pages
|
