QuoteSQL
Duncan Booth
duncan.booth at invalid.invalid
Tue Sep 26 06:02:10 EDT 2006
Lawrence D'Oliveiro <ldo at geek-central.gen.new_zealand> wrote:
> In message <Xns98498D79318AFduncanbooth at 127.0.0.1>, Duncan Booth wrote:
>
>> The spurious escaping of the apostrophe does no harm, but spuriously
>> escaping a newline makes the select match the letter 'n' insteal of
>> matching a newline.
>
> And how would you get my QuoteSQL routine, as written, to make the same
> mistake you did?
If you think I made a mistake I'm afraid you'll have to tell me what it
was. I'm unable to read your mind.
However, your QuoteSQL messes up every time because it wraps double
quotes round the whole string, so it isn't suitable for use with
parameterised queries at all. If you care to modify it to work in that
situation I think you'll find that the only characters you need to quote
are \, % and _. Quoting anything else would be a mistake.
In particular it currently turns newlines in backslash followed by n which
(since MySQL ignores the extra backslash escape) is equivalent to turning
newlines into the character n.
More information about the Python-list
mailing list