• Create Account

### #ActualBiffenbob

Posted 08 April 2013 - 01:07 PM

# Never do this -- insecure!
symbol = 'RHAT'
c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)

t = ('RHAT',)
c.execute('SELECT * FROM stocks WHERE symbol=?', t)
print c.fetchone()


My understanding is a SQL injection is when instead of supplying data or a variable you substitute a SQL command.  My question is why is the second option better then the first.  What makes the second option better then the first?

### #1Biffenbob

Posted 08 April 2013 - 01:05 PM

# Never do this -- insecure!
symbol = 'RHAT'
c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)