QuoteSQL
Lawrence D'Oliveiro
ldo at geek-central.gen.new_zealand
Tue Sep 26 17:19:03 EDT 2006
In message <mailman.679.1159277222.10491.python-list at python.org>, Steve
Holden wrote:
> Lawrence D'Oliveiro wrote:
>> In message <mailman.637.1159253927.10491.python-list at python.org>, Steve
>> Holden wrote:
>>
>>
>>>Lawrence D'Oliveiro wrote:
>>>
>>>>In message <mailman.560.1159188345.10491.python-list at python.org>, Steve
>>>>Holden wrote:
>>>>
>>>>
>>>>
>>>>>When you use the DB API correctly and paramterise your queries you
>>>>>still need to quote wildcards in search arguments, but you absolutely
>>>>>shouldn't quote the other SQL specials.
>>>>>
>>>>>That's what parameterised queries are for on the first place...
>>>>
>>>>
>>>>So you're suggesting I quote the wildcards, then rely on autoquoted
>>>>parameters to handle the rest? Unfortunately, that's stupid mistake
>>>>number 2.
>>>
>>>Ah, so your quoting function will deduce the context in which arguments
>>>intended for parameter substitution in the query will be used? Or are
>>>you suggesting that it's unwise to rely on autoquoted parameters?
>>
>>
>> No, I'm saying it's _incorrect_ to use the existing autoquoting mechanism
>> in combination with a separate function that escapes the wildcards. I
>> previously described the two stupid mistakes that can arise from having a
>> separate function for doing just the wildcard quoting: this is the second
>> one.
>>
> Sadly your assertions alone fail to convince. Perhaps you could provide
> a concrete example?
Sorry, that turned out to be wrong. You do in fact need to escape the
escapes on wildcards.
More information about the Python-list
mailing list