Python Risk

[Delaney, Timothy]

> >> > * Strings may now be enclosed in double quotes as well 
> as in single
> >> > quotes.  There is no difference in interpretation.
> >> >
> >> > I mean, really, who ordered *that*?
> >> 
> >> I don't know, but it makes it easy to put either double 
> >> quotes or single
> >> quotes inside a string, thus:
> >> 
> >> " ' "   ' " '
> >
> >So you would want to add _all_ that syntax just to save a single '\'
> >character in typing <wink>. I mean how often do you have 
> quotes in your
> >strings...
> >
> 
> This dual quote syntax has saved my b many times. Visual Foxpro
> actually allows "xx'xxx" or 'xxxx"xxxxx' or [zzzz"yyy'wwww]
> 
> When building expressions or taking user input sometimes you cannot
> expect users not to enter a ' or " in the data. 
> 
> E.g.
> 
> select * from file where name="O'Brien"

Ah - but what about

select * from file where quote="O'Brien quoted "OK""

Won't work.

If the user can enter the criteria, you must always assume that they will
enter both single and double quotes. So you always need to "fix" the data -
for most SQL databases you double the quotes that match the delimiters, and
single-quote is the most standard delimiter.

So the better select statements there would be ...

select * from file where name='O''Brien'
select * from file where quote='O''Brien quoted "OK"'

Besides, it's more aesthetically pleasing than

select * from file where quote="O'Brien quoted ""OK"""

Tim Delaney