QuoteSQL
Duncan Booth
duncan.booth at invalid.invalid
Wed Sep 27 05:47:25 EDT 2006
Lawrence D'Oliveiro <ldo at geek-central.gen.new_zealand> wrote:
> In message <Xns984B5837B9F7Aduncanbooth at 127.0.0.1>, Duncan Booth
> wrote:
>
>> Lawrence D'Oliveiro <ldo at geek-central.gen.new_zealand> wrote:
>>
>>> def EscapeSQLWild(Str) :
>>> """escapes MySQL pattern wildcards in Str."""
>>> Result = []
>>> for Ch in str(Str) :
>>> if Ch == "%" or Ch == "_" :
>>> Result.append("\\")
>>> #end if
>>> Result.append(Ch)
>>> #end for
>>> return "".join(Result)
>>> #end EscapeSQLWild
>>
>> That doesn't quite work. If you want to stop wildcards being
>> interpreted as such in a string used as a parameter to a query, then
>> you have to escape the escape character as well.
>
> That's part of the separation of function. Note that the above
> function does not generate a MySQL string literal: you must still put
> it through the previously-defined SQLString routine, which will
> automatically escape all the specials added by EscapeSQLWild.
>
You are still missing the point. I'm not talking about generating a MySQL
string literal, I'm talking about preventing wildcards characters having
their special meaning when using the string as a parameter in
cursor.execute. You still have to escape the escape character, and you have
to do that before or at the same time as you escape the wildcards. No
string literals are involved anywhere.
Calling the SQLString routine in this situation would be wrong because it
would escape characters such as newline which must not be escaped.
More information about the Python-list
mailing list