QuoteSQL
Lawrence D'Oliveiro
ldo at geek-central.gen.new_zealand
Tue Sep 26 03:12:57 EDT 2006
In message <mailman.637.1159253927.10491.python-list at python.org>, Steve
Holden wrote:
> Lawrence D'Oliveiro wrote:
>>
>> In message <mailman.560.1159188345.10491.python-list at python.org>, Steve
>> Holden wrote:
>>
>>
>>>When you use the DB API correctly and paramterise your queries you still
>>>need to quote wildcards in search arguments, but you absolutely
>>>shouldn't quote the other SQL specials.
>>>
>>>That's what parameterised queries are for on the first place...
>>
>>
>> So you're suggesting I quote the wildcards, then rely on autoquoted
>> parameters to handle the rest? Unfortunately, that's stupid mistake
>> number 2.
>
> Ah, so your quoting function will deduce the context in which arguments
> intended for parameter substitution in the query will be used? Or are
> you suggesting that it's unwise to rely on autoquoted parameters?
No, I'm saying it's _incorrect_ to use the existing autoquoting mechanism in
combination with a separate function that escapes the wildcards. I
previously described the two stupid mistakes that can arise from having a
separate function for doing just the wildcard quoting: this is the second
one.
> That could have a serious impact on the efficiency of some repeated
> queries.
Correctness comes before efficiency. It's no point doing it quickly if
you're doing it wrong.
More information about the Python-list
mailing list