In the words of Steve: dynamic SQL is bad. He recommends that I change my code so that it avoids an SQL injection that could destroy my database. Even though this is just a side project and the people using it would have no reason to do such a thing, it’s probably good practice to learn how to prevent against it anyway. I’m going to have to practice parameterizing my SQL. There’s a good doc on the subject at the official Python website. I’m glad that I’m finally learned the meaning of this xkcd comic:
Steve suggested changing this part:
[python]items = ‘,’.join( “‘” + type + “‘” for type in myList)
query = “SELECT Name FROM food WHERE type in (%s)” % items
for row in cursor.execute(query):
T.insert(END, row)
T.insert(END, ‘\n’)
[/python]into something like this:
[python]
placeholders = ‘,’.join( “?” for type in myList)
query = “SELECT Name FROM food WHERE type in (%s)” % placeholders
for row in cursor.execute(query, myList):
T.insert(END, row)
T.insert(END, ‘\n’)[/python]