Changes between Version 4 and Version 5 of TracDev/DatabaseApi

Timestamp:

Apr 26, 2006, 7:52:57 PM (18 years ago)

Author:

Christopher Lenz

Comment:

Removed snippet about obsolete sql_escape function

TracDev/DatabaseApi

@@ -57 +57 @@
 }}}
 
-At any cost, try avoiding the use of [http://docs.python.org/lib/typesseq-strings.html string formatting] to get values into the SQL statement. The database automatically escapes values you pass using {{{execute()}}} arguments, the same is not true if you use string formatting. If you '''absolutely cannot avoid''' it, be sure to apply the {{{sql_escape}}} function in [source:/trunk/trac/util.py trac.util] to all parameters you're passing in, to avoid possible [http://en.wikipedia.org/wiki/SQL_injection SQL injection] attacks:
-
-{{{
-#!python
-from trac.util import sql_escape
-cursor.execute("SELECT author,ipnr,comment FROM wiki WHERE name=%s" % sql_escape(thename))
-}}}
+At any cost, try avoiding the use of [http://docs.python.org/lib/typesseq-strings.html string formatting] to get values into the SQL statement. The database automatically escapes values you pass using {{{execute()}}} arguments, the same is not true if you use string formatting, opening your code up to [http://en.wikipedia.org/wiki/SQL_injection SQL injection] attacks.
 
 On the other hand, you '''must''' use string formatting to dynamically specify names of tables or columns, i.e. anything that is not a value as such: