# Never do this -- insecure!
symbol = 'RHAT'
c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)
# Do this instead
t = ('RHAT',)
c.execute('SELECT * FROM stocks WHERE symbol=?', t)
print c.fetchone()
Taken from http://docs.python.org/2/library/sqlite3.html
My understanding is a SQL injection is when instead of supplying data or a variable you substitute a SQL command. My question is why is the second option better then the first. What makes the second option better then the first?