SQL statements are executed with user controlled values inserted. This allows for easy SQL injection attacks against the server.

Attached is a patch to correct them. It was only tested against sqlite3 so it should probably be tested against MySQL before being committed.

Also included in the patch is a change to the first line to use /usr/bin/env to make the script more portable. It can be dropped or added as a different patch if needed.

working on testing with sqlite and mysql.

Works with sqlite3,

Seems to fail with sqlite.. so trying to figure out why. I imagine it's when passing in an empty variable or something

This patch is not compatible with sqlite and mysql, because the paramstyle is different on each of these databases, see: http://www.python.org/dev/peps/pep-0249/#paramstyle

I am not sure the best way to resolve this yet.

print MySQLdb.paramstyle format import sqlite print sqlite.paramstyle pyformat import sqlite3 print sqlite3.paramstyle qmark

There seems to be a workaround to this here: http://sourceforge.net/p/pydal/code/HEAD/tree/trunk/dal/dbapi/paramstyles.py

This converts from any paramstyle to any other paramstyle.