QuoteSQL
Steve Holden
steve at holdenweb.com
Tue Sep 26 09:15:45 EDT 2006
Lawrence D'Oliveiro wrote:
> In message <mailman.637.1159253927.10491.python-list at python.org>, Steve
> Holden wrote:
>
>
>>Lawrence D'Oliveiro wrote:
>>
>>>In message <mailman.560.1159188345.10491.python-list at python.org>, Steve
>>>Holden wrote:
>>>
>>>
>>>
>>>>When you use the DB API correctly and paramterise your queries you still
>>>>need to quote wildcards in search arguments, but you absolutely
>>>>shouldn't quote the other SQL specials.
>>>>
>>>>That's what parameterised queries are for on the first place...
>>>
>>>
>>>So you're suggesting I quote the wildcards, then rely on autoquoted
>>>parameters to handle the rest? Unfortunately, that's stupid mistake
>>>number 2.
>>
>>Ah, so your quoting function will deduce the context in which arguments
>>intended for parameter substitution in the query will be used? Or are
>>you suggesting that it's unwise to rely on autoquoted parameters?
>
>
> No, I'm saying it's _incorrect_ to use the existing autoquoting mechanism in
> combination with a separate function that escapes the wildcards. I
> previously described the two stupid mistakes that can arise from having a
> separate function for doing just the wildcard quoting: this is the second
> one.
>
Sadly your assertions alone fail to convince. Perhaps you could provide
a concrete example?
>
>>That could have a serious impact on the efficiency of some repeated
>>queries.
>
>
> Correctness comes before efficiency. It's no point doing it quickly if
> you're doing it wrong.
Indeed not. But there's no point being right if you can't explain why.
regards
Steve
--
Steve Holden +44 150 684 7255 +1 800 494 3119
Holden Web LLC/Ltd http://www.holdenweb.com
Skype: holdenweb http://holdenweb.blogspot.com
Recent Ramblings http://del.icio.us/steve.holden
More information about the Python-list
mailing list