| 59 | At any cost, try avoiding the user of [http://docs.python.org/lib/typesseq-strings.html string formatting] to get values into the SQL statement. The database automatically escapes values you pass using {{{execute()}}} arguments, the same is not true if you use string formatting. If you '''absolutely cannot avoid''' it, be sure to apply the {{{sql_escape}}} function in [source:/trunk/trac/util.py trac.util] to all parameters you're passing in, to avoid possible [http://en.wikipedia.org/wiki/SQL_injection SQL injection] attacks: |
| 60 | |
| 61 | {{{ |
| 62 | #!python |
| 63 | from trac.util import sql_escape |
| 64 | cursor.execute("SELECT author,ipnr,comment FROM wiki WHERE name=%s" % sql_escape(thename)) |
| 65 | }}} |
| 66 | |
| 67 | On the other hand, you '''must''' use string formatting to dynamically specify names of tables or columns, i.e. anything that is not a value as such: |
| 68 | |
| 69 | {{{ |
| 70 | #!python |
| 71 | cursor.execute("SELECT time FROM %s WHERE name=%%s" % table, (thename,)) |
| 72 | }}} |
| 73 | |