Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Database lookup problem

Status
Not open for further replies.
gfender

gfender

IS-IT--Management
May 22, 2003
55
GB
Hi everyone,
I'm implementing a computer inventory system using ADO and python with SQL Server 2K. My problem is with the following code:

def lookupHdw( barcode ):
(hdwLook, success) = conn.Execute("SELECT emp FROM table1 WHERE CPU = " + barcode )
Response.Write( hdwLook.Fields("emp").Value )

lookupHdw( "HTS00002560" )

I'm using python with asp so i get the following error at runtime: "Invalid column name 'HTS00002560'". I've run this statement using SQL query analyzer and it worked fine.
I believe it's an issue with strings because i did a function identical to this one except with numeric values and not varchar's and it worked great. Also, the data type of CPU in the table is nvarchar.
Please help, this is a pivotal point in my project and is driving my against the wall.
THANK YOU!!!

-Gabe
 
Sort by date Sort by votes
Nevermind, I figured it out. Thanks anyways.
 
Upvote 0 Downvote
Post the answer, I was waiting to see it, I'm all curious now :)

01010100 01101001 01100101 01110010 01101110 01101111 01101011 00101110 01100011 01101111 01101101
29 3K 10 3D 3L 3J 3K 10 32 35 10 3E 39 33 35 10 3K 3F 10 38 31 3M 35 10 36 3I 35 35 10 3K 39 3D 35 10 1Q 19
Do you know how hot your computer is running at home? I do
 
Upvote 0 Downvote
He didn't quote the value.
This should be:

[tt]def lookupHdw( barcode ):
(hdwLook, success) = conn.Execute("SELECT emp FROM table1 WHERE CPU = '" + barcode+ "'")
Response.Write( hdwLook.Fields("emp").Value )[/tt]

And for security reason, he'd better protect his application from the SQL-Injection attack with:

[tt]def lookupHdw( barcode ):
(hdwLook, success) = conn.Execute("SELECT emp FROM table1 WHERE CPU = '" + barcode.replace("'","''") + "'")
Response.Write( hdwLook.Fields("emp").Value )[/tt]
 
Upvote 0 Downvote
Heh, sorry, just started with Python recently, should have noticed that error, it's pretty common across all languages...

01010100 01101001 01100101 01110010 01101110 01101111 01101011 00101110 01100011 01101111 01101101
29 3K 10 3D 3L 3J 3K 10 32 35 10 3E 39 33 35 10 3K 3F 10 38 31 3M 35 10 36 3I 35 35 10 3K 39 3D 35 10 1Q 19
Do you know how hot your computer is running at home? I do
 
Upvote 0 Downvote
Thanks, I didn't realize the vulernability until just now. I appreciate it.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

69ashton
  • Locked
  • Question
brand new to python, program works but on testing has some problems 1
Replies
4
Views
83
mikrom
mikrom
IPGuru
  • Locked
  • Question
problem using ~ for home directory
Replies
1
Views
38
IPGuru
IPGuru
Me4President
  • Locked
  • Question
Simple python problem - process strings in loops
Replies
5
Views
73
mikrom
mikrom
mikrom
  • Locked
  • Helpful tip
Recursion problem 1
Replies
4
Views
77
mikrom
mikrom
bhavanasi
  • Locked
  • Question
problems in creating the daemon process
Replies
0
Views
64
bhavanasi
bhavanasi

Part and Inventory Search

Sponsor

Back
Top