471,073 Members | 1,134 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,073 software developers and data experts.

Re: Another MySQL Images Question

There are several problems with your SQL, but not all of them would be
caught by the computer. Your SELECT statement is not parameterized.
This is a security problem. *Always* parameterize your variables. Your
UPDATE statement has an extraneous comma at the end, and it also has
quotes around the "%s"es that you don't need, because you already
parameterized that query. Your dbapi interface will provide appropriate
quoting for whatever type of data you pass it.

On Fri, 2008-04-18 at 10:13 -0500, Victor Subervi wrote:
If I grab an image in the database thus:

sql = "select pic1 from products where id='" + str(id) + "';"
pic1 = cursor.fetchall()[0][0].tostring()
# pic1 = cursor.fetchall()[0][0] // either this or the above

and try and re-insert it thus:

cursor.execute('update products set pic1="%s" where id="%s", ;',
(pic1, id))

it tells me I have an error in my MySQL syntax. What is the error?
J. Cliff Dyer
Carolina Digital Library and Archives
UNC Chapel Hill

Jun 27 '08 #1
0 729

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

5 posts views Thread by Dominique Javet | last post: by
3 posts views Thread by Srdjan Pejic | last post: by
3 posts views Thread by dave | last post: by
reply views Thread by Jonas Meurer | last post: by
4 posts views Thread by Shaun Campbell | last post: by
9 posts views Thread by Dejan | last post: by
10 posts views Thread by eholz1 | last post: by
reply views Thread by leo001 | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.