help with creating a mysql query string

Discussion in 'Python' started by RiGGa, Jun 27, 2004.

  1. RiGGa

    RiGGa Guest

    Hi,

    I am trung to create a mysql query string that contais two variables, the
    first holds a table name and the second holds the values as a tuple.  I
    have tried the following however I can not work out how to get the format
    right so the %s is subsituted with the contents of the variable, I think I
    just have the quoting wrong, can anyone advise?

    tablename contains the table I want to use
    datavalue contains the data I want to use (contains multiple fields, we will
    say 3 here for this example)

    sqlquery = "INSERT INTO %s", tablename + " values(%s,%s,%s)", datavalue"

    Any help appreciated

    Thanks

    Rigga
    RiGGa, Jun 27, 2004
    #1
    1. Advertising

  2. RiGGa

    Sean Ross Guest

    "RiGGa" <> wrote in message
    news:3SvDc.22042$9.net...
    [snip]
    >
    > sqlquery = "INSERT INTO %s", tablename + " values(%s,%s,%s)", datavalue"
    >

    [snip]

    sqlquery = "INSERT INTO " + tablename + " values(%s,%s,%s)"%datavalue
    Sean Ross, Jun 27, 2004
    #2
    1. Advertising

  3. On Sun, Jun 27, 2004 at 07:58:09 -0400, Sean Ross wrote:
    >
    > "RiGGa" <> wrote in message
    > news:3SvDc.22042$9.net...
    > [snip]
    > >
    > > sqlquery = "INSERT INTO %s", tablename + " values(%s,%s,%s)", datavalue"
    > >

    > [snip]
    >
    > sqlquery = "INSERT INTO " + tablename + " values(%s,%s,%s)"%datavalue


    Rather do something like:

    sqlquery = "INSERT INTO %s values(%%s,%%s,%%s)" % tablename
    cursor.execute(sqlquery, datavalue)

    The other way allows datavalue to contain arbitrary SQL that will be
    executed, which can be a nasty security hole depending on where the
    value comes from.
    --
    mithrandi, i Ainil en-Balandor, a faer Ambar

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFA3szIpNuXDQIV94oRAquQAJ0eD+g7vtxvkbMIzFB8x4VFXtiRrQCfeVhC
    HH9fqz1cODLuoB3RmFQoVTQ=
    =cGqG
    -----END PGP SIGNATURE-----
    Tristan Seligmann, Jun 27, 2004
    #3
  4. On Sun, Jun 27, 2004 at 07:58:09 -0400, Sean Ross wrote:
    >
    > "RiGGa" <> wrote in message
    > news:3SvDc.22042$9.net...
    > [snip]
    > >
    > > sqlquery = "INSERT INTO %s", tablename + " values(%s,%s,%s)", datavalue"
    > >

    > [snip]
    >
    > sqlquery = "INSERT INTO " + tablename + " values(%s,%s,%s)"%datavalue


    Rather do something like:

    sqlquery = "INSERT INTO %s values(%%s,%%s,%%s)" % tablename
    cursor.execute(sqlquery, datavalue)

    The other way allows datavalue to contain arbitrary SQL that will be
    executed, which can be a nasty security hole depending on where the
    value comes from.
    --
    mithrandi, i Ainil en-Balandor, a faer Ambar
    Tristan Seligmann, Jun 27, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. RiGGa
    Replies:
    5
    Views:
    560
    Rigga
    Jun 28, 2004
  2. Brian Ablaza
    Replies:
    1
    Views:
    121
    zakifataya
    Feb 27, 2006
  3. Love4llamas
    Replies:
    0
    Views:
    800
    Love4llamas
    Oct 13, 2011
  4. roadrunner
    Replies:
    1
    Views:
    235
    Gunnar Hjalmarsson
    Feb 8, 2006
  5. nick
    Replies:
    1
    Views:
    453
    David Mark
    Feb 13, 2011
Loading...

Share This Page