QuoteSQL
Lawrence D'Oliveiro
ldo at geek-central.gen.new_zealand
Tue Sep 26 06:45:58 EDT 2006
In message <Xns984A6E99A1A73duncanbooth at 127.0.0.1>, Duncan Booth wrote:
> However, your QuoteSQL messes up every time because it wraps double
> quotes round the whole string, so it isn't suitable for use with
> parameterised queries at all. If you care to modify it to work in that
> situation I think you'll find that the only characters you need to quote
> are \, % and _.
That won't work--that puts you into stupid mistake number 2.
I think autoquoting is fine as far as it goes. But it cannot cope with
wildcards, since it can't tell whether the string is being used in a LIKE
clause without doing its own parsing of the MySQL query. And there are
situations where you cannot rely on it, as in the QuoteSQLList example I
gave earlier. This is why my QuoteSQL function cannot be designed to work
together with autoquoting, but has to be used as a complete replacement for
it.
> In particular it currently turns newlines in backslash followed by n which
> (since MySQL ignores the extra backslash escape) is equivalent to turning
> newlines into the character n.
But \n is valid MySQL syntax for a newline.
More information about the Python-list
mailing list