passing artibrary strings into a database

Discussion in 'Python' started by schwehr@gmail.com, Nov 27, 2005.

  1. Guest

    Hi All,

    I was wondering if there is a helper library out there that will nicely
    encode artibrary text so that I can put in into a TEXT field in a
    database and then retrieve it without getting into trouble with ',",new
    lines or other such things that would foul the sql insert call and or
    be a security hazard? This feels like a newbee type question, but I
    haven't found anything with a quick search.

    Thanks,
    -kurt
    , Nov 27, 2005
    #1
    1. Advertising

  2. wrote:

    > I was wondering if there is a helper library out there that will nicely
    > encode artibrary text so that I can put in into a TEXT field in a
    > database and then retrieve it without getting into trouble with ',",new
    > lines or other such things that would foul the sql insert call and or
    > be a security hazard?


    don't ever use string formatting to add values to an SQL statement.
    the right way to pass variables to the database engine is to use para-
    meters (aka bound variables):

    cursor.execute(
    "insert into table (col1, col2) values ?, ?",
    value1, value2
    )

    the exact marker depends on the database; use the paramstyle attribute
    to figure out what's the right parameter marker to use for your database.
    see the DB-API 2 spec for more information:

    http://www.python.org/peps/pep-0249.html

    </F>
    Fredrik Lundh, Nov 27, 2005
    #2
    1. Advertising

  3. wrote:
    > Hi All,
    >
    > I was wondering if there is a helper library out there that will nicely
    > encode artibrary text so that I can put in into a TEXT field in a
    > database and then retrieve it without getting into trouble with ',",new
    > lines or other such things that would foul the sql insert call and or
    > be a security hazard? This feels like a newbee type question, but I
    > haven't found anything with a quick search.


    Use paramtetrized cursor.execute(..) That is instead of doing

    c.execute("insert into foo values ('%s')" % mytext)

    do

    c.execute("insert into foo values (?)", mytext)

    Attention, the actual style of a parameter is dependand on your
    database, e.g. oracle uses a differnet one:

    c.execute("insert into foo values :)mytext)", dict(mytext=mytext))


    The actual style to use is given in the docs, or can be queried with

    connection.paramstyle

    I recommend reading the DB-API 2.0 specs.

    Diez
    Diez B. Roggisch, Nov 27, 2005
    #3
  4. Guest

    Thanks! Looks like I need to get a newer version of pysqlite into the
    fink package tree since pysqlite 1.0.1 does not appear support that
    , Nov 27, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steven Taylor
    Replies:
    3
    Views:
    453
    hibiki
    Apr 23, 2005
  2. Ben

    Strings, Strings and Damned Strings

    Ben, Jun 22, 2006, in forum: C Programming
    Replies:
    14
    Views:
    730
    Malcolm
    Jun 24, 2006
  3. p.
    Replies:
    10
    Views:
    617
    Albert van der Horst
    Jan 28, 2008
  4. Renie83
    Replies:
    2
    Views:
    218
  5. Wybo Dekker
    Replies:
    1
    Views:
    171
    Charles Steinman
    Jul 23, 2005
Loading...

Share This Page