QuoteSQL
Lawrence D'Oliveiro
ldo at geek-central.gen.new_zealand
Wed Sep 27 07:38:48 EDT 2006
In message <Xns984B793317A15duncanbooth at 127.0.0.1>, Duncan Booth wrote:
> Lawrence D'Oliveiro <ldo at geek-central.gen.new_zealand> wrote:
>
>>> You are still missing the point. I'm not talking about generating a
>>> MySQL string literal, I'm talking about preventing wildcards
>>> characters having their special meaning when using the string as a
>>> parameter in cursor.execute.
>>
>> But that's what cursor.execute will do if you use its
>> parameter-substitution mechanism--generate a string literal.
>
> The current implementation of the MySQL database adapter will do that.
> Other database adaptors may handle parameters without generating string
> literals.
Doesn't matter what other implementations of parametrization might or might
not do. The syntax I generate is valid for MySQL, therefore it will work
with the MySQL database adapter regardless of what else the adaptor might
do.
>>> You still have to escape the escape character...
>>
>> Which will be done by cursor.execute if you use its
>> parameter-substitution mechanism.
>
> Too late and not enough. Too late, because if you want to search for the
> literal "\\%" (single backslash percent) you need to escape the backslash
> before you escape the percent. Not enough because at the point MySQLdb
> finally converts it to a string literal a literal backslash to be used in
> a context where wildcards are allowed needs to be spelled with 4
> backslashes. i.e. it needs to be escaped twice, once for the string
> literal and once to stop it being interpreted as an escape within the
> wildcard string.
I'm assuming you mean, how would you get from a Python expression to a MySQL
clause that looks like
name like "%\\\\%%"
(wildcard % followed by literal backslash \\ followed by literal percent \%
followed by wildcard %.) That's easy:
EscapeSQLWild(r"\%") => r"\\%"
SQLString(r"\\%") => r'"\\\\%"'
So the Python expression
"name like %s" % SQLString("%" + EscapeSQLWild(r"\%") + "%")
gives you what you want.
> Correct: they both do the same thing. So you have to use either SQLString
> or the parameter substitution. You cannot use both. Calling SQLString on a
> string to be passed in to the parameter substitution mechanism will not
> work correctly.
I thought I had made that clear already.
More information about the Python-list
mailing list