QuoteSQL
Steve Holden
steve at holdenweb.com
Tue Sep 26 09:11:09 EDT 2006
Lawrence D'Oliveiro wrote:
> In message <Xns984A6E99A1A73duncanbooth at 127.0.0.1>, Duncan Booth wrote:
>
>
>>However, your QuoteSQL messes up every time because it wraps double
>>quotes round the whole string, so it isn't suitable for use with
>>parameterised queries at all. If you care to modify it to work in that
>>situation I think you'll find that the only characters you need to quote
>>are \, % and _.
>
>
> That won't work--that puts you into stupid mistake number 2.
>
> I think autoquoting is fine as far as it goes. But it cannot cope with
> wildcards, since it can't tell whether the string is being used in a LIKE
> clause without doing its own parsing of the MySQL query. And there are
> situations where you cannot rely on it, as in the QuoteSQLList example I
> gave earlier. This is why my QuoteSQL function cannot be designed to work
> together with autoquoting, but has to be used as a complete replacement for
> it.
>
>
>>In particular it currently turns newlines in backslash followed by n which
>>(since MySQL ignores the extra backslash escape) is equivalent to turning
>>newlines into the character n.
>
>
> But \n is valid MySQL syntax for a newline.
Phew. It's a good hob that MySQL is the only database in the known
universe, then, isn't it.
regards
Steve
--
Steve Holden +44 150 684 7255 +1 800 494 3119
Holden Web LLC/Ltd http://www.holdenweb.com
Skype: holdenweb http://holdenweb.blogspot.com
Recent Ramblings http://del.icio.us/steve.holden
More information about the Python-list
mailing list