diff options
| author | Andrew M. Kuchling <amk@amk.ca> | 2006-06-07 17:04:01 (GMT) |
|---|---|---|
| committer | Andrew M. Kuchling <amk@amk.ca> | 2006-06-07 17:04:01 (GMT) |
| commit | e275d3d4cec592369a9070eb7e5ee437d09da671 (patch) | |
| tree | 0182a858285bf3efb1c1f92c4af1df6c3674bcc4 /Doc | |
| parent | 3b336c7cedaaa596a07d97ae1eac8cd77b0f6b26 (diff) | |
| download | cpython-e275d3d4cec592369a9070eb7e5ee437d09da671.zip cpython-e275d3d4cec592369a9070eb7e5ee437d09da671.tar.gz cpython-e275d3d4cec592369a9070eb7e5ee437d09da671.tar.bz2 | |
Mention other placeholders
Diffstat (limited to 'Doc')
| -rw-r--r-- | Doc/lib/libsqlite3.tex | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/Doc/lib/libsqlite3.tex b/Doc/lib/libsqlite3.tex index 512ae88..9545696 100644 --- a/Doc/lib/libsqlite3.tex +++ b/Doc/lib/libsqlite3.tex @@ -47,10 +47,11 @@ variables. You shouldn't assemble your query using Python's string operations because doing so is insecure; it makes your program vulnerable to an SQL injection attack. -Instead, use SQLite's parameter substitution. Put \samp{?} as a +Instead, use the DB-API's parameter substitution. Put \samp{?} as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor's \method{execute()} -method. For example: +method. (Other database modules may use a different placeholder, +such as \samp{\%s} or \samp{:1}.) For example: \begin{verbatim} # Never do this -- insecure! |