# Never do this -- insecure! symbol = 'RHAT' c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol) # Do this instead t = ('RHAT',) c.execute('SELECT * FROM stocks WHERE symbol=?', t) print c.fetchone()
My understanding is a SQL injection is when instead of supplying data or a variable you substitute a SQL command. My question is why is the second option better then the first. What makes the second option better then the first?
Edited by Biffenbob, 08 April 2013 - 01:07 PM.