ansaurus

Question

Answer 1

A:

Check the file permissions.

An aside, I prefer the tokenized method:

mydata = c.execute("DELETE FROM Zoznam WHERE Name='%s'" % data3)

Andrew Sledge 2010-10-20 12:15:01

Please enter name: ... `';DROP TABLE Zoznam;` <Enter>

eumiro 2010-10-20 12:16:57

You clean all input prior to running it through the cursor. It's no different than what's already there.

Andrew Sledge 2010-10-20 12:18:52

also, name whose I ask not erase from SQL

Risino 2010-10-20 12:19:55

Answer 2

A:

I advise you to first make a string for the query , and then execute it. ex:

query = "delete from zoznam where name = '%s' " % data3
c.execute(query)
conn.commmit()

Kelmer 2010-10-20 12:26:59

seriously, where do ye get such ideas?

SilentGhost 2010-10-20 12:28:57

I don't know why , but I had many problems trying to execute queries in sqlite enclosing the actual string query as the first argument of the execute method, but somehow I could solve this problem creating a variable out of the string and then pass it to the execute method.

Kelmer 2010-10-21 09:56:54

Answer 3

A:

Thank you to everybody who tried to help. The right code is:

conn = sqlite3.connect('databaza.db')
c = conn.cursor()
conn.text_factory = str    
data3 = str(input('Please enter name: '))
query = "DELETE FROM Zoznam WHERE Name = '%s';" % data3.strip()
print(query)
mydata = c.execute(query)

Risino 2010-10-20 12:33:04

how's this rubbish got upvoted?

SilentGhost 2010-10-20 12:39:21

Answer 4

A:

mydata = c.execute('DELETE FROM Zoznam WHERE Name=%s', data3)

never use :

"DELETE FROM Zoznam WHERE Name='%s'" % data3

if you want to know why just put:

data = "a';DROP TABLE Zoznam;'"

and all your problem get solve :)

the database connector is responsible of escaping data if you pass it as i told you .

singularity 2010-10-20 13:35:40

"database connector is responsible of escaping data if you pass it"No it's not. Maintaining the integrity of the data is the developer's responsibility.

Andrew Sledge 2010-10-20 13:39:26

@Andrew Sledge : please tell me where did you read this; check your documentation, i don't know about other DB connector but for psycopg2 check this http://initd.org/psycopg/docs/usage.html

singularity 2010-10-20 13:49:04

That's just best practice. Something you should already know. Never trust user input, and he's using SQLite and not Pg.

Andrew Sledge 2010-10-20 14:06:24

@Andrew Sledge : wow, where did you read that ? read this http://docs.python.org/py3k/library/sqlite3.html and please stop saying what you don't know .

singularity 2010-10-20 14:17:18

ansaurus

tags:

views:

answers:

How to delete record from table?

related questions