Browse Source

Fix for incorrect MySQLdb escaping example

My suggestion for improving the parameterized query documentation.
Closes-Bug: #1745555

Change-Id: I55d3d660436bbead403e53d1ed42b285b47326de
Joshua Padman 1 year ago
parent
commit
5d7466981b
1 changed files with 9 additions and 6 deletions
  1. 9
    6
      doc/source/guidelines/dg_parameterize-database-queries.rst

+ 9
- 6
doc/source/guidelines/dg_parameterize-database-queries.rst View File

@@ -95,25 +95,28 @@ be created.
95 95
         cur = con.cursor()
96 96
         cur.execute(query)
97 97
 
98
-Correct
99
-^^^^^^^
98
+Better
99
+^^^^^^
100 100
 
101 101
 In this example the query is created using pythons standard, unsafe
102 102
 '%' operator. MySQL's 'escape\_string' method is used to perform escaping
103
-on the query string immediately before executing it.
103
+on the user input string prior to inclusion in the string.
104 104
 
105 105
 .. code:: python
106 106
 
107 107
     import MySQLdb
108 108
 
109
-    query = "select username from users where username = '%s'" % name
109
+    query = "select username from users where username = '%s'" % MySQLdb.escape_string(name)
110 110
     con = MySQLdb.connect('localhost', 'testuser', 'test623', 'testdb');
111 111
 
112 112
     with con:
113 113
         cur = con.cursor()
114
-        cur.execute(MySQLdb.escape_string(query))
114
+        cur.execute(query)
115
+
116
+Correct
117
+^^^^^^^
115 118
 
116
-An alternative, but also correct, way to do this using a parameterized
119
+The correct way to do this using a parameterized
117 120
 query might look like the following:
118 121
 
119 122
 .. code:: python

Loading…
Cancel
Save