help with creating a mysql query string

R

RiGGa

Hi,

I am trung to create a mysql query string that contais two variables, the
first holds a table name and the second holds the values as a tuple.  I
have tried the following however I can not work out how to get the format
right so the %s is subsituted with the contents of the variable, I think I
just have the quoting wrong, can anyone advise?

tablename contains the table I want to use
datavalue contains the data I want to use (contains multiple fields, we will
say 3 here for this example)

sqlquery = "INSERT INTO %s", tablename + " values(%s,%s,%s)", datavalue"

Any help appreciated

Thanks

Rigga
 
S

Sean Ross

[snip]
sqlquery = "INSERT INTO %s", tablename + " values(%s,%s,%s)", datavalue"
[snip]

sqlquery = "INSERT INTO " + tablename + " values(%s,%s,%s)"%datavalue
 
T

Tristan Seligmann

[snip]
sqlquery = "INSERT INTO %s", tablename + " values(%s,%s,%s)", datavalue"
[snip]

sqlquery = "INSERT INTO " + tablename + " values(%s,%s,%s)"%datavalue

Rather do something like:

sqlquery = "INSERT INTO %s values(%%s,%%s,%%s)" % tablename
cursor.execute(sqlquery, datavalue)

The other way allows datavalue to contain arbitrary SQL that will be
executed, which can be a nasty security hole depending on where the
value comes from.
--
mithrandi, i Ainil en-Balandor, a faer Ambar

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA3szIpNuXDQIV94oRAquQAJ0eD+g7vtxvkbMIzFB8x4VFXtiRrQCfeVhC
HH9fqz1cODLuoB3RmFQoVTQ=
=cGqG
-----END PGP SIGNATURE-----
 
T

Tristan Seligmann

[snip]
sqlquery = "INSERT INTO %s", tablename + " values(%s,%s,%s)", datavalue"
[snip]

sqlquery = "INSERT INTO " + tablename + " values(%s,%s,%s)"%datavalue

Rather do something like:

sqlquery = "INSERT INTO %s values(%%s,%%s,%%s)" % tablename
cursor.execute(sqlquery, datavalue)

The other way allows datavalue to contain arbitrary SQL that will be
executed, which can be a nasty security hole depending on where the
value comes from.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,901
Latest member
Noble71S45

Latest Threads

Top