escape single and double quotes
Gabriel Genellina
gagsl-py2 at yahoo.com.ar
Wed Oct 24 01:34:39 EDT 2007
En Tue, 23 Oct 2007 20:50:55 -0300, Michael Pelz Sherman
<mpelzsherman at yahoo.com> escribió:
> Leif B. Kristensen wrote:
>
>>>> SQL = 'INSERT into TEMP data = %s'
>>>> c.execute(SQL, """ text containing ' and ` and all other stuff we
>>> . might
>>> . read from the network""")
>>
>>> Sure, but does this work if you need more than one placeholder?
>
>> Yes it works with more than one placeholder.
>
> Yes, BUT: I have found that all of the placeholders must be STRINGS!
>
> If I try to use other data types (%d, %f, etc.), I get an error:
>
> File "/usr/lib/python2.5/site-packages/MySQLdb/cursors.py", line 149, in
> execute
> query = query % db.literal(args)
> TypeError: float argument required
>
> It's not a huge problem to convert my non-string args, but it
> seems like this should be fixed if it's a bug, no?
No. The *MARK* is always %s - but the data may be any type (suitable for
the database column, of course).
The only purpose of %s is to say "insert parameter here". Other adapters
use a question mark ? as a parameter placeholder, a lot less confusing, as
it does not look like string interpolation.
--
Gabriel Genellina
More information about the Python-list
mailing list