variable expansion with sqlite

[Kris Kennaway]

marc wyburn wrote:
> Hi and thanks,
> 
> I was hoping to avoid having to weld qmarks together but I guess
> that's why people use things like SQL alchemy instead.  It's a good
> lesson anyway.

The '?' substitution is there to safely handle untrusted input.  You 
*don't* want to pass in arbitrary user data into random parts of an SQL 
statement (or your database will get 0wned).  I think of it as a 
reminder that when you have to construct your own query template by 
using "... %s ..." % (foo) to bypass this limitation, that you had 
better be darn sure the parameters you are passing in are safe.

Kris