• Advertisement

Biffenbob

Member
  • Content count

    1
  • Joined

  • Last visited

Community Reputation

105 Neutral

About Biffenbob

  • Rank
    Newbie
  1. # Never do this -- insecure! symbol = 'RHAT' c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol) # Do this instead t = ('RHAT',) c.execute('SELECT * FROM stocks WHERE symbol=?', t) print c.fetchone()   Taken from http://docs.python.org/2/library/sqlite3.html   My understanding is a SQL injection is when instead of supplying data or a variable you substitute a SQL command.  My question is why is the second option better then the first.  What makes the second option better then the first?
  • Advertisement