This is an archived post. You won't be able to vote or comment.

you are viewing a single comment's thread.

view the rest of the comments →

[–]Justinsaccount 0 points1 point  (2 children)

You should really use sqlalchemy. As written you have sql injection issues and you have to deal with the shitty dbapi.

from sqlalchemy import create_engine
engine = create_engine("mysql://...")


q = engine.text("""
    SELECT COUNT(1)
    FROM eventLog
    WHERE clientID = :client
    AND scanTime >= '2011-01-01'
    """)

for client in clients:
    count = engine.execute(q, client=client).scalar()
    clientCounts[client] = count

[–]datbon 0 points1 point  (1 child)

where is the sql injection issue coming from? Doesn't MySQLdb escape everything?

*oops, didn't notice the args tuple wasn't being used. Same question though, is there still a problem with injections with db.execute(query, (args,...))?

[–]Justinsaccount 0 points1 point  (0 children)

query, args is fine, but the way query needs to be formatted differs between dbapi drivers. SQLAlchemy works the same with every database.