开发者

How to protect text when doing INSERT using MySQLdb

This query is easy, but when the text contains some quotes it doesn't work.

cursor.execute ("INSERT INTO text (text_key, language_id, text) VALUES ('%s', '%s', '%s')" % (key, language_id, text))

Wha开发者_运维技巧t is the best way to protect my text variable ?


Always pass the parameters separately from the query:

cursor.execute (
    "INSERT INTO text (text_key, language_id, text) VALUES (%s, %s, %s)",
    (key, language_id, text))

That way the quoting will be handled correctly.


What you are doing will lead to a SQL injection vulnerability. Pass the parametrized query as the first argument, and the sequence of values as the second argument.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜