diff options
| author | Andrew M. Kuchling <amk@amk.ca> | 2006-06-07 17:02:52 (GMT) |
|---|---|---|
| committer | Andrew M. Kuchling <amk@amk.ca> | 2006-06-07 17:02:52 (GMT) |
| commit | 1271f003a69f94d7bd5c7ed8a51c5021a2e1a6f8 (patch) | |
| tree | 14127956a3fd3bda6d5594cc9efaede072af6330 /Doc | |
| parent | 12238d72a89395332563030c2760b6df159ea874 (diff) | |
| download | cpython-1271f003a69f94d7bd5c7ed8a51c5021a2e1a6f8.zip cpython-1271f003a69f94d7bd5c7ed8a51c5021a2e1a6f8.tar.gz cpython-1271f003a69f94d7bd5c7ed8a51c5021a2e1a6f8.tar.bz2 | |
Mention other placeholders
Diffstat (limited to 'Doc')
| -rw-r--r-- | Doc/whatsnew/whatsnew25.tex | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/Doc/whatsnew/whatsnew25.tex b/Doc/whatsnew/whatsnew25.tex index 84340d4..c777cd4 100644 --- a/Doc/whatsnew/whatsnew25.tex +++ b/Doc/whatsnew/whatsnew25.tex @@ -1923,10 +1923,11 @@ variables. You shouldn't assemble your query using Python's string operations because doing so is insecure; it makes your program vulnerable to an SQL injection attack. -Instead, use SQLite's parameter substitution. Put \samp{?} as a +Instead, use the DB-API's parameter substitution. Put \samp{?} as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor's \method{execute()} -method. For example: +method. (Other database modules may use a different placeholder, +such as \samp{%s} or \samp{:1}.) For example: \begin{verbatim} # Never do this -- insecure! |