caught by the computer. Your SELECT statement is not parameterized.
This is a security problem. *Always* parameterize your variables. Your
UPDATE statement has an extraneous comma at the end, and it also has
quotes around the "%s"es that you don't need, because you already
parameterized that query. Your dbapi interface will provide appropriate
quoting for whatever type of data you pass it.
Cheers,
Cliff
On Fri, 2008-04-18 at 10:13 -0500, Victor Subervi wrote:
Hi;--
If I grab an image in the database thus:
sql = "select pic1 from products where id='" + str(id) + "';"
cursor.execute(sql)
pic1 = cursor.fetchall()[0][0].tostring()
# pic1 = cursor.fetchall()[0][0] // either this or the above
line
and try and re-insert it thus:
cursor.execute('update products set pic1="%s" where id="%s", ;',
(pic1, id))
it tells me I have an error in my MySQL syntax. What is the error?
TIA,
Victor
Oook,
J. Cliff Dyer
Carolina Digital Library and Archives
UNC Chapel Hill