Following is a code snippet from a pythoncard app
the problem is with the sql string called iq1
If either mysubject or mytalktext contains an
apostrophe the update fails :
Example: mysubject="Let' s Eat" this fails
mysubject="Lets Eat" this works fine
What options do I have to avoid this issue but still
can use apostrophes in my input data ?
mysubject=self. components.Text Field1.text
mytalktext=self .components.Tex tArea1.text
mymsgno=self.my amsgno
iq1="update MSGTALK set msgdate='NOW',s ubject='%s',tal ktext='%s' where
msgno= %d " % (mysubject,myta lktext,mymsgno)
try:
self.cur.execut e(iq1)
con1.commit()
self.components .TextArea2.appe ndText('Update ok\n')
except:
self.components .TextArea2.appe ndText('Problem during update command\n')
self.components .TextArea2.appe ndText(iq1)
(hope the intendation did not get too messed up )
Thanks
5  1252 
DarkBlue <no****@nixmail .comwrote:
iq1="update MSGTALK set msgdate='NOW',s ubject='%s',tal ktext='%s' where
msgno= %d " % (mysubject,myta lktext,mymsgno)
try:
self.cur.execut e(iq1)
Use parameterised queries and get rid of the quotes in the SQL:
iq1="update MSGTALK set msgdate='NOW',s ubject=%s,talkt ext=%s where
msgno= %d "
try:
self.cur.execut e(iq1, (mysubject,myta lktext,mymsgno) )
....
depending on your actual database you might need to use something other
than %s to specify the parameters. Check out 'paramstyle' for your database
connection.
DarkBlueFollowi ng is a code snippet from a pythoncard app
DarkBluethe problem is with the sql string called iq1
DarkBlueIf either mysubject or mytalktext contains an
DarkBlueapostro phe the update fails :
DarkBlueExample : mysubject="Let' s Eat" this fails
DarkBlue mysubject="Lets Eat" this works fine
DarkBlueWhat options do I have to avoid this issue but still can use
DarkBlueapostro phes in my input data ?
You don't mention what database adapter you're communicating with, but they
all have argument quoting facilities. You should be using them instead of
doing the string interpolation yourself.
For example, if I was using MySQL, my code might look something like this:
self.cur.execut e("update MSGTALK"
" set msgdate='NOW', subject=%s, talktext=%s"
" where msgno=%s",
(self.component s.TextField1.te xt,
self.components .TextArea1.text ,
self.myamsgno))
Skip
DarkBlue wrote:
>
Example: mysubject="Let' s Eat" this fails
mysubject="Lets Eat" this works fine
What options do I have to avoid this issue but still
can use apostrophes in my input data ?
Use proper "bind parameters" or "bind variables" when executing the
statement, rather than using string substitution/interpolation.
[...]
iq1="update MSGTALK set msgdate='NOW',s ubject='%s',tal ktext='%s' where
msgno= %d " % (mysubject,myta lktext,mymsgno)
This merely "edits" a statement, stuffing values directly into the
text. As you've noticed, merely substituting values for placeholders
isn't always going to work. Moreover, it's something that could cause
errors (in the nicest circumstances such as in a local application) or
security holes (in nasty circumstances such as in networked or Web
applications).
Instead try this:
iq1="update MSGTALK set msgdate='NOW',s ubject=%s,talkt ext=%s" \
" where msgno=%d" # note that the parameters are not substituted here
Then execute the statement with the parameters as a separate argument:
self.cur.execut e(iq1, [mysubject,mytal ktext,mymsgno])
The database module will then ensure that the values you've supplied
really will get used properly when executing the statement, and things
like apostrophes won't cause any problems at all.
Paul
P.S. The above assumes that the "parameter style" of the database
module is "format", as found by looking at the paramstyle attribute of
the module (eg. MySQLdb.paramst yle). Other styles include "qmark" where
you use "?" instead of "%s" (or other format codes) to indicate where
your values will be used in a statement.
P.P.S. See also the DB-API 2.0 specification: http://www.python.org/dev/peps/pep-0249/
DarkBlue wrote:
Following is a code snippet from a pythoncard app
the problem is with the sql string called iq1
If either mysubject or mytalktext contains an
apostrophe the update fails :
Example: mysubject="Let' s Eat" this fails
mysubject="Lets Eat" this works fine
What options do I have to avoid this issue but still
can use apostrophes in my input data ?
mysubject=self. components.Text Field1.text
mytalktext=self .components.Tex tArea1.text
mymsgno=self.my amsgno
iq1="update MSGTALK set msgdate='NOW',s ubject='%s',tal ktext='%s' where
msgno= %d " % (mysubject,myta lktext,mymsgno)
Your SQL after the % formatting will read something like this:
update ... set ... subject='Let's Eat',talktext=. ...
which is illegal SQL syntax -- if a string constant contains an
apostrophe, it must be doubled:
... subject='Let''s Eat', ...
which would require you to do data.replace("' ", "''") on each text
column. In general, % formatting is *not* a good idea, for this reason
and also because it leaves you wide open to an SQL injection attack. It
is much better to use the placeholder system, and let the called
software worry about inserting apostrophes, converting date formats,
etc etc. So:
iq1="""\
update MSGTALK
set msgdate='NOW', subject=?, talktext=?
where msgno= ?
"""
self.cur.execut e(iq1, (mysubject,myta lktext,mymsgno) )
Your [unspecified] DBMS adaptor may use some other placeholdet than
"?"; this will be documented in its manual .....
HTH,
John
Duncan Booth wrote:
...
depending on your actual database you might need to use something other
than %s to specify the parameters. Check out 'paramstyle' for your
database connection.
Thank you all for prompt suggestions
I am using firebird 1.5.3 with kinterbasdb
Db This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: TimS |
last post by:
I am getting a baffling File not found error (0x800A0035).
I am writing asp on a windows 2000 server. I build a path and filename from
several fields in a jet database using SQL commands, like this:
Sql = "SELECT dirs.rootname,dirs.dirname FROM dirs"
RS.open Sql
RS.movefirst
do while not RS.EOF
temp1=trim(RS("rootname"))
|
by: Michelle |
last post by:
I have tried every variation of the "onchange" statement below without
any actual reloading of the page: The FireFox javaScript Console reports
the following message:
Error: missing : in conditional expression
Source Code:
location.href=themes.php?scheme=(form.color_schemes.options.value)
My Code for the dropdown box is:
<form name='color_schemes' method='post' action='themes.php' >
|
by: bfrasca |
last post by:
I have a well-formed XML file that I am trying to load into a dataset
using the ReadXML method. It keeps telling me that "there are multiple
root elements". I can view the data using XML Designer in Visual
Studio 2003 without any problems and the schema and file have been
validated using several different tools. I even successfully generated
a typed dataset with Visual Studio 2003 by importing the XML into my
project. I'm baffled, does...
|
by: WillWeGetOurFreedomBack |
last post by:
When I try to run the query below, I get a warning that says Access
could not insert ANY of the records due to Validation rule violations.
Access gives me NO hint WHICH fields are violating the rules or WHAT
rules are being violated!
Furthermore, I re-checked EVERY field in the target table and there
ARE NO VALIDATION RULES SET on ANY field! There is no conflict
between source and target data types on any field and NON of the
target...
|
by: Mike |
last post by:
I have posted this before, but no one responds, so here
it goes again. I think my question is intimidating people
and I have no idea why?!? This is not a new concept. You
can do this with other programming languages, so why is
C# so different? Again, here is my baffling C# question.
I have C# code that opens an application, but right after
it opens I am confronted by prompts for information
(i.e. "Please enter your id"). I would like to...
| | |
by: Steve |
last post by:
I'm currently running into a problem, and I have no idea what to make of it.
I have a class with nested clases and static properties that I'm using
to store configuration information using a custom configuration section.
When my code accesses one of the static properties the static
constructors are fired, and the code goes in and pulls the data from the
configuration section.
In the current instance, I'm getting a connection string....
|
by: Double Echo |
last post by:
Hi,
Forgive me if I ask a dumb question, I'm new to classes and object programming with PHP,
and cannot figure out what the problem is with this class. Maybe I have overlooked
something but just can't see it. The error message usually means a typo or something
that I missed.
I get this error:
Parse error: parse error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or '}' in crypt_class.php on line 6
|
by: CharlesA |
last post by:
hi folks,
I'm using the .Net framework 1.1 with ASP.net and C#:
this is what I'm trying to do...
I've got a repeater template working that creates a hyperlink with a
javascript function call embedded inside it
when the user clicks on the link, it populates a textbox with a value
specific to that link (i.e a person's ID)...I can make this work in a
standalone browser window, but I'm trying to stuff this functionality at run
|
by: Tim Redfern |
last post by:
Hi I'm having an issue that is probably obvious to somebody here but its
baffling me..
I'm using python (2.5.1) on an embedded linux sytem system (kernel
2.6.19 I think) with only 32MB memory (for an art project).
My python code runs nicely when launched manually from a login shell, ps
shows its using 11MB or so of memory.
However, when I try to launch the same code from a startup script, it
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
